image/list
List all images on the Docker host, including dangling/untagged images.
When to Use
- Security audits: Enumerate all images on the host to identify outdated tags that require patching before a scheduled vulnerability scan.
- Dangling image cleanup: Identify images whose
RepoTagsarray is empty — these are orphaned layers consuming disk space with no tag reference. - Post-pull verification: Confirm that a freshly pulled image appears in the list before proceeding to
container/createin a deployment pipeline. - Storage accounting: Sum the
Sizefield across all images to report total image layer disk usage for capacity planning. - Version comparison: Filter images by repository prefix (e.g.,
myapp) to compare which versions are cached locally against the desired release manifest.
Configuration
Connection
| Field | Type | Default | Description |
|---|---|---|---|
dockerHost | string | unix:///var/run/docker.sock | Docker daemon socket path or TCP endpoint. |
connectionType | string | unixsocket | One of: unixsocket, tcp, tcptls. |
tlsCertPath | string | — | Path to TLS certificate directory. Required when connectionType is tcptls. optional |
timeoutSeconds | int | 30 | Operation timeout in seconds. optional |
Operation Fields
This operation requires no additional input fields. Set resource to image and operation to list.
Sample Configuration
{
"resource": "image",
"operation": "list",
"connection": {
"dockerHost": "unix:///var/run/docker.sock",
"connectionType": "unixsocket",
"timeoutSeconds": 30
}
}
Validation Errors
| Error Code | Condition | Resolution |
|---|---|---|
CONFIG_ERROR | Connection settings are missing or malformed. | Verify dockerHost and connectionType are set correctly. |
AUTH_FAILED | TLS handshake failed on a tcptls connection. | Confirm tlsCertPath points to a valid cert directory with ca.pem, cert.pem, and key.pem. |
DOCKER_API_ERROR | Docker daemon returned an unexpected error. | Check daemon logs on the host; ensure the daemon is running. |
Output
Success Port
| Field | Type | Description |
|---|---|---|
status | string | "ok" on success. |
resource | string | "image" |
operation | string | "list" |
listImages | array | Array of image summary objects (see fields below). |
listImages[].Id | string | Full image ID (sha256 prefixed). |
listImages[].RepoTags | string[] | Array of "repo:tag" strings. Empty array means dangling image. |
listImages[].Size | int | Image size in bytes (uncompressed layers). |
listImages[].Created | int | Unix timestamp of image creation. |
listImages[].Labels | object | Key-value label pairs applied to the image. |
Error Port
Fires when the operation fails. The output contains status: "error", errorCode, and errorMessage describing the failure.
Sample Output
{
"status": "ok",
"resource": "image",
"operation": "list",
"listImages": [
{
"Id": "sha256:a3562aa0b991bc928a4f7e91bb2b8d8c3f16fab56a4cb7c2c07d3f2d0c2e9e1a",
"RepoTags": ["nginx:1.25", "nginx:latest"],
"Size": 186942464,
"Created": 1716825600,
"Labels": {
"maintainer": "platform-team"
}
},
{
"Id": "sha256:c7d1b2a5f3e889a12b3c0011df4563c0ae3b0fe412c0dd8e21c3b90e5f76a2d1",
"RepoTags": [],
"Size": 72351744,
"Created": 1715200000,
"Labels": {}
}
]
}
Expression Reference
| Expression | Returns |
|---|---|
{{ $output.listImages[0].RepoTags[0] }} | First tag of the first image (e.g., "nginx:1.25"). |
{{ $output.listImages[0].Id }} | Full sha256 image ID of the first image. |
{{ $output.listImages.length }} | Total number of images on the host. |
{{ $output.listImages[0].Size }} | Image size in bytes — divide by 1073741824 for GB. |
{{ $output.listImages[0].Labels['org.opencontainers.image.version'] }} | OCI version label value if present. |
Node Policies & GuardRails
| Policy | Enforcement |
|---|---|
| Never expose Docker daemon TCP without TLS | Use tcptls for remote connections. Plain tcp is blocked in production GuardRail profiles. |
| Store TLS certificates in Credentials Manager | Reference tlsCertPath via {{ $credentials.dockerTlsCertPath }} — never hard-code paths. |
| Never interpolate user input into connection fields | The dockerHost value must come from credentials or fixed configuration, not user-supplied data. |
| Use named containers and volumes in dependent workflows | When acting on results from image/list, prefer filtering by RepoTags values rather than raw IDs to improve workflow readability. |
| Always handle the error port | Docker daemon may be unavailable. Workflows without error port wiring will silently fail on daemon downtime. |
| Restrict container/exec to approved commands | Arbitrary exec access is root-equivalent. GuardRail exec policies restrict allowed command prefixes. |
Examples
Example 1 — Find All Dangling Images
Use image/list followed by a filter step to isolate dangling images (those with no tags), then pass each to image/remove for cleanup.
// Filter node expression — evaluates to true for dangling images
{{ $output.listImages[*].RepoTags.length === 0 }}
// Then pass the Id of each dangling image to image/remove
{{ $loopItem.Id }}
Example 2 — Verify Image Was Pulled After CI Build
After a CI build triggers an image/pull, run image/list and check that the expected tag appears in the results before proceeding to deploy.
{
"resource": "image",
"operation": "list"
}
// Downstream condition node:
// {{ $output.listImages.some(img => img.RepoTags.includes("myapp:v2.3.1")) }}
Example 3 — Storage Usage Report
Aggregate total image disk usage across the host and post a summary to a monitoring dashboard.
// Expression to sum all image sizes (bytes):
{{ $output.listImages.reduce((sum, img) => sum + img.Size, 0) }}
// Convert to GB in a downstream Set-Variable node:
{{ ($output.totalBytes / 1073741824).toFixed(2) }} GB