Portal Community

When to Use

Configuration

Connection

FieldTypeDefaultDescription
dockerHoststringunix:///var/run/docker.sockDocker daemon socket path or TCP endpoint.
connectionTypestringunixsocketOne of: unixsocket, tcp, tcptls.
tlsCertPathstringPath to TLS certificate directory. Required when connectionType is tcptls. optional
timeoutSecondsint30Operation timeout in seconds. optional

Operation Fields

This operation requires no additional input fields. Set resource to image and operation to list.

Sample Configuration

{
  "resource": "image",
  "operation": "list",
  "connection": {
    "dockerHost": "unix:///var/run/docker.sock",
    "connectionType": "unixsocket",
    "timeoutSeconds": 30
  }
}

Validation Errors

Error CodeConditionResolution
CONFIG_ERRORConnection settings are missing or malformed.Verify dockerHost and connectionType are set correctly.
AUTH_FAILEDTLS handshake failed on a tcptls connection.Confirm tlsCertPath points to a valid cert directory with ca.pem, cert.pem, and key.pem.
DOCKER_API_ERRORDocker daemon returned an unexpected error.Check daemon logs on the host; ensure the daemon is running.

Output

Success Port

FieldTypeDescription
statusstring"ok" on success.
resourcestring"image"
operationstring"list"
listImagesarrayArray of image summary objects (see fields below).
listImages[].IdstringFull image ID (sha256 prefixed).
listImages[].RepoTagsstring[]Array of "repo:tag" strings. Empty array means dangling image.
listImages[].SizeintImage size in bytes (uncompressed layers).
listImages[].CreatedintUnix timestamp of image creation.
listImages[].LabelsobjectKey-value label pairs applied to the image.

Error Port

Fires when the operation fails. The output contains status: "error", errorCode, and errorMessage describing the failure.

Sample Output

{
  "status": "ok",
  "resource": "image",
  "operation": "list",
  "listImages": [
    {
      "Id": "sha256:a3562aa0b991bc928a4f7e91bb2b8d8c3f16fab56a4cb7c2c07d3f2d0c2e9e1a",
      "RepoTags": ["nginx:1.25", "nginx:latest"],
      "Size": 186942464,
      "Created": 1716825600,
      "Labels": {
        "maintainer": "platform-team"
      }
    },
    {
      "Id": "sha256:c7d1b2a5f3e889a12b3c0011df4563c0ae3b0fe412c0dd8e21c3b90e5f76a2d1",
      "RepoTags": [],
      "Size": 72351744,
      "Created": 1715200000,
      "Labels": {}
    }
  ]
}

Expression Reference

ExpressionReturns
{{ $output.listImages[0].RepoTags[0] }}First tag of the first image (e.g., "nginx:1.25").
{{ $output.listImages[0].Id }}Full sha256 image ID of the first image.
{{ $output.listImages.length }}Total number of images on the host.
{{ $output.listImages[0].Size }}Image size in bytes — divide by 1073741824 for GB.
{{ $output.listImages[0].Labels['org.opencontainers.image.version'] }}OCI version label value if present.

Node Policies & GuardRails

PolicyEnforcement
Never expose Docker daemon TCP without TLSUse tcptls for remote connections. Plain tcp is blocked in production GuardRail profiles.
Store TLS certificates in Credentials ManagerReference tlsCertPath via {{ $credentials.dockerTlsCertPath }} — never hard-code paths.
Never interpolate user input into connection fieldsThe dockerHost value must come from credentials or fixed configuration, not user-supplied data.
Use named containers and volumes in dependent workflowsWhen acting on results from image/list, prefer filtering by RepoTags values rather than raw IDs to improve workflow readability.
Always handle the error portDocker daemon may be unavailable. Workflows without error port wiring will silently fail on daemon downtime.
Restrict container/exec to approved commandsArbitrary exec access is root-equivalent. GuardRail exec policies restrict allowed command prefixes.

Examples

Example 1 — Find All Dangling Images

Use image/list followed by a filter step to isolate dangling images (those with no tags), then pass each to image/remove for cleanup.

// Filter node expression — evaluates to true for dangling images
{{ $output.listImages[*].RepoTags.length === 0 }}

// Then pass the Id of each dangling image to image/remove
{{ $loopItem.Id }}

Example 2 — Verify Image Was Pulled After CI Build

After a CI build triggers an image/pull, run image/list and check that the expected tag appears in the results before proceeding to deploy.

{
  "resource": "image",
  "operation": "list"
}
// Downstream condition node:
// {{ $output.listImages.some(img => img.RepoTags.includes("myapp:v2.3.1")) }}

Example 3 — Storage Usage Report

Aggregate total image disk usage across the host and post a summary to a monitoring dashboard.

// Expression to sum all image sizes (bytes):
{{ $output.listImages.reduce((sum, img) => sum + img.Size, 0) }}

// Convert to GB in a downstream Set-Variable node:
{{ ($output.totalBytes / 1073741824).toFixed(2) }} GB