How to inspect a Docker image without running it
Table of Contents
You want to know what’s inside a Docker image - the layers, the environment variables, the entrypoint, the files - but you don’t want to docker run it. Maybe it isn’t yours. Maybe it does something you don’t trust. Maybe you don’t have a shell inside it.
The Metadata: docker inspect #
docker inspect my-image:tag
Prints the manifest as JSON: environment variables, entrypoint, cmd, exposed ports, labels, volumes, working directory, config hash. The one-stop for “what does this image say it does.”
Narrow to what you actually want:
docker inspect --format '{{.Config.Env}}' my-image:tag
docker inspect --format '{{.Config.Cmd}}' my-image:tag
The Layer History: docker history #
docker history my-image:tag
Every layer with the command that created it and its size. Great for spotting the layer that made your image 2 GB bigger than it should be.
Add --no-trunc to see the full commands (they get cut off by default):
docker history --no-trunc my-image:tag
The Files: dive #
dive is the interactive tool for exploring layers file by file:
dive my-image:tag
Split-pane TUI: layers on the left, filesystem tree on the right. Highlights files added, modified, and removed per layer. The fastest way to answer “why is this image so big” or “where did that file end up.”
The Files Without Docker Running: crane export #
If the Docker daemon isn’t running (CI, air-gapped machine), crane can pull and extract without one:
crane export my-registry/my-image:tag - | tar -tvf -
Lists every file in the image without creating a container.
Which One When #
| Question | Command |
|---|---|
| What env vars / entrypoint / cmd? | docker inspect |
| Why is this image so big? | docker history or dive |
| What files does it contain? | dive (interactive), crane export (scriptable) |
| I don’t have Docker running | crane (works against the registry directly) |
Why This Matters #
Running an untrusted image just to look at it is a bad habit. inspect, history, and dive let you understand an image before you give it a container to run in. That’s the difference between “I audited this base image” and “I ran a container to see what was in it.”