container inspect: include image digest

Include the digest of the image in `podman container inspect`. The image
digest is a key information for auditing as it defines the identify of
an image.  This way, it can be determined whether a container used an
image with a given CVE etc.

Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>

2 files changed, 10 insertions, 0 deletions

diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go
index e4089efa6..4dc1ca3a5 100644
--- a/libpod/container_inspect.go
+++ b/libpod/container_inspect.go
@@ -166,6 +166,15 @@ func (c *Container) getContainerInspectData(size bool, driverData *define.Driver
 		IsInfra:         c.IsInfra(),
 		IsService:       c.IsService(),
 	}
+
+	if config.RootfsImageID != "" { // May not be set if the container was created with --rootfs
+		image, _, err := c.runtime.libimageRuntime.LookupImage(config.RootfsImageID, nil)
+		if err != nil {
+			return nil, err
+		}
+		data.ImageDigest = image.Digest().String()
+	}
+
 	if ctrSpec.Process.Capabilities != nil {
 		data.EffectiveCaps = ctrSpec.Process.Capabilities.Effective
 		data.BoundingCaps = ctrSpec.Process.Capabilities.Bounding
diff --git a/libpod/define/container_inspect.go b/libpod/define/container_inspect.go
index da5c58f27..7a00d708c 100644
--- a/libpod/define/container_inspect.go
+++ b/libpod/define/container_inspect.go
@@ -659,6 +659,7 @@ type InspectContainerData struct {
 	Args            []string                    `json:"Args"`
 	State           *InspectContainerState      `json:"State"`
 	Image           string                      `json:"Image"`
+	ImageDigest     string                      `json:"ImageDigest"`
 	ImageName       string                      `json:"ImageName"`
 	Rootfs          string                      `json:"Rootfs"`
 	Pod             string                      `json:"Pod"`