3.2.3 Image Digests
A focused guide to Image Digests, connecting core concepts with practical Docker and container operations.
Image digests are cryptographic hashes computed from an image's actual content, providing a permanent, unambiguous identifier that, unlike a tag, can never be reassigned to refer to different content — a digest is, by definition, only ever a reference to exactly the bytes that produced it.
What a Digest Looks Like
A digest is typically expressed as a hash algorithm name followed by the hexadecimal hash value, appended to a repository name with an @ separator rather than the : used for tags.
myapp@sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Retrieving an Image by Digest
Pulling or running an image by its digest guarantees retrieval of exactly one specific, unchanging set of content, regardless of what any tag currently points to.
docker pull myapp@sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
docker run myapp@sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Finding an Image's Digest
Every image has a digest, whether or not it is ever explicitly referenced by it, and this digest can be retrieved for any locally available or remote image.
docker inspect myapp:1.0 --format '{{.Id}}'
docker images --digests myapp
Digests as the Most Reliable Reference
Because a digest cannot be reassigned the way a tag can, referencing an image by digest in deployment configuration provides the strongest possible guarantee that the exact intended content will be retrieved, eliminating any risk introduced by a tag being unexpectedly reassigned.
docker run -d registry.example.com/myapp@sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Tradeoffs of Using Digests Directly
Digests are precise but not human-readable, which is why they are often used internally by automated deployment systems (which can record and verify them automatically) while tags remain the more practical, human-facing way to refer to images day to day.
docker inspect --format '{{index .RepoDigests 0}}' myapp:2.3.0
Why Image Digests Matter
Digests provide the foundational guarantee that makes image immutability verifiable rather than merely assumed — any system that needs absolute certainty about exactly which image content is being referenced should rely on the digest, not the tag, to express that reference.