Portal Community

When to Use

Configuration

Connection

FieldTypeDefaultDescription
dockerHoststringunix:///var/run/docker.sockDocker daemon socket path or TCP endpoint.
connectionTypestringunixsocketOne of: unixsocket, tcp, tcptls.
tlsCertPathstringTLS certificate directory. Required when connectionType is tcptls. optional
timeoutSecondsint30Operation timeout in seconds. optional

Operation Fields

FieldTypeBadgeDescription
RepositorystringrequiredImage name with optional tag or digest (e.g., nginx:1.25, sha256:a3562aa…).

Sample Configuration

{
  "resource": "image",
  "operation": "inspect",
  "connection": {
    "dockerHost": "unix:///var/run/docker.sock",
    "connectionType": "unixsocket"
  },
  "Repository": "nginx:1.25"
}

Validation Errors

Error CodeConditionResolution
MISSING_INPUTRepository field is empty.Provide an image name, tag, or digest.
NOT_FOUNDThe specified image does not exist on the host.Run image/pull first or verify the image name.
CONFIG_ERRORConnection settings malformed.Check dockerHost and connectionType.
AUTH_FAILEDTLS handshake failed.Verify tlsCertPath contains valid certificates.
DOCKER_API_ERRORDaemon returned an unexpected error.Check Docker daemon logs on the host.

Output

Success Port

FieldTypeDescription
statusstring"ok" on success.
resourcestring"image"
operationstring"inspect"
imageInfo.IdstringFull sha256 image ID.
imageInfo.RepoTagsstring[]All tags associated with this image.
imageInfo.RepoDigestsstring[]Content-addressable digests from registries.
imageInfo.CreatedstringISO 8601 creation timestamp.
imageInfo.SizeintImage size in bytes.
imageInfo.VirtualSizeintVirtual size including shared layers.
imageInfo.Config.Cmdstring[]Default command defined in the image.
imageInfo.Config.Envstring[]Default environment variables (KEY=VALUE format).
imageInfo.Config.ExposedPortsobjectPorts declared in the image (e.g., {"80/tcp": {}}).
imageInfo.Config.LabelsobjectImage labels including OCI annotations.
imageInfo.Config.WorkingDirstringDefault working directory inside the container.
imageInfo.RootFS.Layersstring[]Array of layer digest strings.

Error Port

Fires when the operation fails. Output contains status: "error", errorCode, and errorMessage.

Sample Output

{
  "status": "ok",
  "resource": "image",
  "operation": "inspect",
  "imageInfo": {
    "Id": "sha256:a3562aa0b991bc928a4f7e91bb2b8d8c3f16fab56a4cb7c2c07d3f2d0c2e9e1a",
    "RepoTags": ["nginx:1.25"],
    "RepoDigests": ["nginx@sha256:593dac25b7733ffb7afe1a72649a43e574778bf025ad60514ef40f6b5d606247"],
    "Created": "2024-05-27T10:00:00Z",
    "Size": 186942464,
    "VirtualSize": 186942464,
    "Config": {
      "Cmd": ["nginx", "-g", "daemon off;"],
      "Env": ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "NGINX_VERSION=1.25.3"],
      "ExposedPorts": { "80/tcp": {} },
      "Labels": {
        "maintainer": "NGINX Docker Maintainers",
        "org.opencontainers.image.version": "1.25.3"
      },
      "WorkingDir": ""
    },
    "RootFS": {
      "Layers": [
        "sha256:7264a8db6415046d36d16ba98b79778e18accee6ffa71850405994cffa9be7de",
        "sha256:2c40c66f7667b5ef8c3ef66173a4a95f66b5e72e25f6c14bb0a8ac9f0bc5b3ae"
      ]
    }
  }
}

Expression Reference

ExpressionReturns
{{ $output.imageInfo.Id }}Full sha256 image ID.
{{ $output.imageInfo.RepoDigests[0] }}First registry digest for supply-chain verification.
{{ $output.imageInfo.Config.Labels['org.opencontainers.image.version'] }}OCI semantic version label.
{{ $output.imageInfo.Config.ExposedPorts }}Object of exposed port declarations.
{{ $output.imageInfo.Created }}ISO 8601 image creation timestamp.

Node Policies & GuardRails

PolicyEnforcement
Never expose Docker daemon TCP without TLSUse tcptls for remote connections. Plain tcp is blocked in production GuardRail profiles.
Store TLS certificates in Credentials ManagerReference tlsCertPath via {{ $credentials.dockerTlsCertPath }} — never hard-code paths.
Verify image digest before production deployCompare imageInfo.RepoDigests[0] against your release manifest's expected digest. Route to abort node on mismatch.
Never interpolate user input into the Repository fieldThe image name must come from a trusted workflow variable, not raw user input, to prevent path injection.
Always handle the error portA NOT_FOUND error means the image was never pulled — always wire the error port to an alerting or pull-and-retry flow.
Restrict container/exec to approved commandsArbitrary exec access is root-equivalent. GuardRail exec policies restrict allowed command prefixes.

Examples

Example 1 — Digest Verification Before Deploy

Inspect the image to retrieve its registry digest, then compare to the expected value stored in a workflow variable before proceeding to container creation.

{
  "resource": "image",
  "operation": "inspect",
  "Repository": "{{ $vars.deployImage }}"
}
// Downstream condition:
// {{ $output.imageInfo.RepoDigests[0] === $vars.expectedDigest }}

Example 2 — Extract Ports for Dynamic Port Binding

Read Config.ExposedPorts from the image and pass the keys to a downstream container/create node to build port mappings automatically.

// Get the first exposed port key (e.g., "80/tcp"):
{{ Object.keys($output.imageInfo.Config.ExposedPorts)[0] }}

// Strip "/tcp" suffix to get port number:
{{ Object.keys($output.imageInfo.Config.ExposedPorts)[0].split('/')[0] }}

Example 3 — Freshness Gate

Compare the image creation date against a max-age threshold. If the image is stale, route to an image/pull node to refresh it.

// Calculate age in days:
{{ Math.floor((Date.now() - new Date($output.imageInfo.Created).getTime()) / 86400000) }}

// Route condition (stale if older than 7 days):
// {{ imageAgeDays > 7 }}