Portal Community
  Stopped containers: Removing an image used by a stopped (but not removed) container returns a CONFLICT error. The workflow must remove those containers with container/remove first, or use a container/list + filter step to confirm no containers reference the image.

When to Use

Configuration

Connection

FieldTypeDefaultDescription
dockerHoststringunix:///var/run/docker.sockDocker daemon socket path or TCP endpoint.
connectionTypestringunixsocketOne of: unixsocket, tcp, tcptls.
tlsCertPathstringTLS certificate directory. Required for tcptls. optional
timeoutSecondsint30Operation timeout in seconds. optional

Operation Fields

FieldTypeBadgeDescription
RepositorystringrequiredImage name with tag or full image ID to remove (e.g., nginx:1.24, sha256:a3562aa…).

Sample Configuration

{
  "resource": "image",
  "operation": "remove",
  "connection": {
    "dockerHost": "unix:///var/run/docker.sock",
    "connectionType": "unixsocket"
  },
  "Repository": "myapp:v1.9.0"
}

Validation Errors

Error CodeConditionResolution
MISSING_INPUTRepository field is empty.Provide the image name, tag, or ID to remove.
NOT_FOUNDThe specified image does not exist on the host.Verify the image name. Use image/list to confirm it is present.
CONFLICTThe image is referenced by one or more containers (running or stopped).Remove or force-remove dependent containers with container/remove first.
CONFIG_ERRORConnection settings malformed.Check dockerHost and connectionType.
DOCKER_API_ERRORUnexpected daemon error.Check Docker daemon logs on the host.

Output

Success Port

FieldTypeDescription
statusstring"ok" when the image is removed successfully.
resourcestring"image"
operationstring"remove"
repositorystringThe image reference that was removed.

Error Port

Fires when removal fails. Output contains status: "error", errorCode (commonly CONFLICT or NOT_FOUND), and errorMessage.

Sample Output

{
  "status": "ok",
  "resource": "image",
  "operation": "remove",
  "repository": "myapp:v1.9.0"
}

Expression Reference

ExpressionReturns
{{ $output.status }}"ok" — use to confirm removal before logging cleanup audit event.
{{ $output.repository }}The removed image reference — include in audit log or notification.
{{ $output.errorCode }}"CONFLICT" or "NOT_FOUND" — route the error port based on this value.

Node Policies & GuardRails

PolicyEnforcement
Never expose Docker daemon TCP without TLSUse tcptls for remote connections. Plain tcp is blocked in production GuardRail profiles.
Store TLS certificates in Credentials ManagerReference tlsCertPath via {{ $credentials.dockerTlsCertPath }}.
Stop and remove containers before removing imagesAlways call container/stop and container/remove for any container using the image before calling image/remove.
Never interpolate user input into the Repository fieldImage references must come from trusted variables, not user-supplied input.
Always handle the error portWire the error port to an alerting node — CONFLICT errors indicate live containers are still dependent on the image.
Restrict container/exec to approved commandsArbitrary exec access is root-equivalent. GuardRail exec policies restrict allowed command prefixes.

Examples

Example 1 — Post-Deployment Old Image Removal

After a deployment workflow completes and the new container is healthy, remove the previous versioned image to free disk space.

// After container/start and health check pass:
{
  "resource": "image",
  "operation": "remove",
  "Repository": "{{ $vars.previousImageTag }}"
}
// e.g., previousImageTag = "myapp:v2.2.0"

Example 2 — Dangling Image Cleanup Workflow

List all images, filter for dangling ones (empty RepoTags), then loop through and remove each.

// Step 1 — image/list (no fields needed)
// Step 2 — Filter node: keep items where RepoTags.length === 0
// Step 3 — Loop: for each dangling image, call image/remove
{
  "resource": "image",
  "operation": "remove",
  "Repository": "{{ $loopItem.Id }}"
}

Example 3 — Security Remediation: Remove CVE-Flagged Image

A vulnerability scan workflow emits the image ID of a critically-affected image. Immediately remove it from all hosts before any new containers can be started from it.

{
  "resource": "image",
  "operation": "remove",
  "Repository": "{{ $trigger.affectedImageId }}"
}
// On success: post alert to Slack "Image {{ $output.repository }} removed from host"
// On error (CONFLICT): escalate — running container still uses the vulnerable image