10.2.2.4 Hub Image Visibility

Hub image visibility is the setting that determines whether a Docker Hub repository is publicly pullable by anyone or restricted to specifically authorized accounts, a fundamental configuration choice that should align deliberately with the actual sensitivity of an image's content.

Checking and Setting a Repository's Visibility

Docker Hub's web interface provides direct control over a repository's visibility setting, separate from the push command itself.

docker push myusername/myapp:1.0

This push succeeds regardless of the repository's visibility setting; that setting is configured separately through Docker Hub, not determined by the push command.

Why Visibility Should Be Decided Before the First Push

Since a public repository is immediately pullable by anyone the moment content is pushed to it, deciding on the appropriate visibility before pushing anything sensitive avoids a window of unintended public exposure.

docker push myusername/new-internal-tool:1.0

Confirming this repository is already configured as private before this first push avoids any risk of its content briefly (or not so briefly) being publicly accessible.

Changing Visibility After the Fact

While visibility can typically be changed after a repository's initial creation, changing a previously public repository to private doesn't retroactively prevent anyone who may have already pulled it from having a copy of that previously exposed content.

docker pull myusername/accidentally-public-repo:1.0

If this was pulled by someone while still public, that copy remains in their possession even after the repository's visibility is subsequently corrected.

Why Hub Image Visibility Matters

Deliberately and correctly configuring a repository's visibility, ideally before any sensitive content is ever pushed to it, is a fundamental and important step in properly protecting any content not intended for unrestricted public access.