Tools for browsing and manipulating docker registries.
Go Shell
Switch branches/tags
Clone or download

Build Status

What is it?

Docker-ls is a set of CLI tools for browsing and manipulating docker registries. In particular, docker-ls can handle authentication and display the sha256 content digests associated with tags.

What registries are supported

Only V2 registries are supported. Both HTTP basic auth and docker style token authentication are supported for authentication.


Six ways there are to attain enlightenment.

Precompiled binaries

Just download precompiled binaries for your platform from github.

MacOS / Homebrew

You can install docker-ls directly from homebrew:

brew install docker-ls

Gentoo / portage

emerge docker-ls


nix-env -iA nixos.docker-ls


If you have Docker installed, you may want to try this option. Clone the repository and do:

docker build -t docker-ls .

Example of running container:

$ docker run -it docker-ls docker-ls tags library/consul
requesting list . done
repository: library/consul
- latest
- v0.6.4

Or create aliases:

$ alias docker-ls='docker run -it docker-ls docker-ls'
$ alias docker-rm='docker run -it docker-ls docker-rm'

So you can do:

$ docker-ls tags library/consul
requesting list . done
repository: library/consul
- latest
- v0.6.4


$ docker-rm | head -n 3
usage: docker-rm [options] <repository:reference>

Delete a tag in a given repository.

Go get

Provided that you sport an installation of golang, the latest version from master can be installed via

go get -d
go generate
go install

Isn't a simple go get sufficient, you ask? Indeed it is, but including the generate step detailed above will encode verbose version information in the binaries.


Docker-ls contains two CLI tools: docker-ls and docker-rm .


docker-ls is a browser for docker registries. Output is either encoded as YAML or as JSON.

Several subcommands are available

  • docker-ls repositories Obtains a list of repositories on the server. This is not supported by the official docker hub.
  • docker-ls tags Lists all tags in a a particular repository.
  • docker-ls tag Inspect a particular tag. This command displays a condensed version of the corresponding manifest by default, but the --raw-manifest option can be used to dump the full manifest. The --parse-history option can be used to display the JSON-encoded history within the manifest.

Important command line flags

This list is not exhaustive; please consult the command line (-h) help for all options.

  • --registry <url> (-r) Connect to the registry at . The URL must include the protocol (http / https). By default, docker-ls targets the official docker hub.
  • --user <user> (-u) Username for authentication.
  • --password <password> (-p) Password for authentication.
  • --interactive-password (-i) Read the password from an interactive prompt.
  • --level <depth> (-l) The repositories and tags subcommands support this option for recursive output. Depths 0 (default) and 1 are supported. Please note the recursing means more API requests and may be slow.
  • --json (-j) Switch output format from YAML to JSON.
  • --basic-auth Use HTTP basic auth for authentication (instead of token authentication).
  • --allow-insecure Do not validate SSL certificates (useful for registries secured with a self-signed certificate).
  • --manifest-version Request either manifest version V2.1 (--manifest-version 1 or manifest version V2.2 (--manifest-version 2, default) from the registry. Please note that deleting manifests from registry version >= 2.3 will work only with content digests from a V2.2 manifest.


List all repositories in a custom registry:

docker-ls repositories --registry --user hanni --password hanni123

List all repositories in a custom registry, including their tags:

docker-ls repositories --registry --user hanni --password hanni123 --level 1

List all tags in stuff/busybox using HTTP basic auth

docker-ls tags --registry --user hanni --password hanni123 --basic-auth stuff/busybox

Inspect tag stuff/busybox:latest, no authentication, JSON output.

docker-ls tag --registry --json stuff/busybox:latest

Inspect tag stuff/busybox:latest, no authentication, dump the raw manifest with parsed history as JSON.

docker-ls tag --registry --json --raw-manifest --parse-history stuff/busybox:latest

Notes considering the offical registry

If no registry is specified, docker-ls will target the official registry server at Please note that:

  • The official registry does not support repository listing via docker-ls repositories
  • Official repositories must be prefixed with library/, e.g. docker-ls tags library/debian


docker-rm can delete particular tags. Example:

docker-rm --registry --user someuser --password somepass busybox:sha256:51fef[...]

(the digest has been truncated for brevity). Please consult the command line help for a full list of all arguments.

Some remarks:

  • The tag must be specified as a sha256 content digest.
  • While tags can be deleted, the current registry implementation will (to the best of my knowledge) not free the space associated with any resulting unused layers
  • Deleting stuff is currently disabled by default in the official registry and needs to be enabled explicitly — check out this issue for details.
  • Content digests obtained with --manifest-version 1 will not work with registry version >= 2.3.
  • BE CAREFUL! The API does not implement undelete :)

Using a proxy

docker-ls supports HTTP / HTTPS proxies configured via the corresponding canonical environment variables. Check out the corresponding documentation for details.

Configuration via config files and environment variables

All options that can be specified via CLI flags can be read from a config file or from an environment variables. The priority is CLI flag > environment variable > config file.

Config files

By default, both tools try to read ~/.docker-ls.[yaml|json|toml|...] (please check the Viper documentation for a full list of the supported formats). The names of the keys in the file are the long names of the CLI flags. For example, the following YAML file would configure registry URL and username

user: foo

Other config files can be specified via the --config option.

Environment variables

In addition to config files and CLI flags, environment variables can be used to specify options globally. The name is determined by taking the long CLI name, uppercasing replacing hyphens "-" with underscores "_" and prefixing the result with "DOCKER_LS_". For example, the following would enable interactive password prompts for all consecutive invocations:


Shell autocompletion

Both docker-ls and docker-rm support shell autocompletion for subcommands and options. To enable this, source the output of docker-ls autocomplete bash|zsh and docker-rm autocomplete bash|zsh in the running shell. In case of bash, this can be achieved with

$ source <(docker-ls autocomplete bash)


Docker-ls is distributed under the terms of the MIT license.