From 02b0f9fc393ab7bcbc1d555ac4386899daad59fd Mon Sep 17 00:00:00 2001 From: Valentin Rothberg Date: Fri, 30 Sep 2022 13:50:08 +0200 Subject: container inspect: include image digest Include the digest of the image in `podman container inspect`. The image digest is a key information for auditing as it defines the identify of an image. This way, it can be determined whether a container used an image with a given CVE etc. Signed-off-by: Valentin Rothberg --- libpod/container_inspect.go | 9 +++++++++ libpod/define/container_inspect.go | 1 + 2 files changed, 10 insertions(+) (limited to 'libpod') diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go index e4089efa6..4dc1ca3a5 100644 --- a/libpod/container_inspect.go +++ b/libpod/container_inspect.go @@ -166,6 +166,15 @@ func (c *Container) getContainerInspectData(size bool, driverData *define.Driver IsInfra: c.IsInfra(), IsService: c.IsService(), } + + if config.RootfsImageID != "" { // May not be set if the container was created with --rootfs + image, _, err := c.runtime.libimageRuntime.LookupImage(config.RootfsImageID, nil) + if err != nil { + return nil, err + } + data.ImageDigest = image.Digest().String() + } + if ctrSpec.Process.Capabilities != nil { data.EffectiveCaps = ctrSpec.Process.Capabilities.Effective data.BoundingCaps = ctrSpec.Process.Capabilities.Bounding diff --git a/libpod/define/container_inspect.go b/libpod/define/container_inspect.go index da5c58f27..7a00d708c 100644 --- a/libpod/define/container_inspect.go +++ b/libpod/define/container_inspect.go @@ -659,6 +659,7 @@ type InspectContainerData struct { Args []string `json:"Args"` State *InspectContainerState `json:"State"` Image string `json:"Image"` + ImageDigest string `json:"ImageDigest"` ImageName string `json:"ImageName"` Rootfs string `json:"Rootfs"` Pod string `json:"Pod"` -- cgit v1.2.3-54-g00ecf