skopeo

Inspect a remote image from a registry

$ skopeo inspect docker://[registry_hostname]/[image:tag]

$ skopeo list-tags docker://[registry_hostname]/[image]

$ skopeo copy docker://[registry_hostname]/[image:tag] dir:[path/to/directory]

$ skopeo copy docker://[source_registry]/[image:tag] docker://[destination_registry]/[image:tag]

$ skopeo delete docker://[registry_hostname]/[image:tag]

$ skopeo login --username [username] [registry_hostname]

skopeo command [ command options ] arguments

Examples:
skopeo inspect [ options ] transport:imageReference
skopeo copy [ options ] source-image destination-image

--debug
    Output detailed debugging information.

--insecure-policy
    Use an insecure signature policy, skipping policy checks.
Use with caution!

--override-arch arch
    Override the architecture for the image (e.g., 'arm64', 'amd64').

--override-os os
    Override the operating system for the image (e.g., 'linux', 'windows').

--tls-verify=bool
    Require HTTPS and verify certificates when accessing registries (default: true).

copy --all
    Copy all images if the source is a list (e.g., all architectures of a multi-arch image).

copy --format format
    Set the format of the destination image (e.g., 'oci', 'docker', 'v2s1').

copy --dest-creds username:password
    Credentials for authenticating with the destination registry.

inspect --format format
    Use a Go template string to format the output.
Example: '{{.Name}}'

skopeo is a command-line utility for working with container images and image repositories. It allows users to inspect images without downloading the entire image, copy images between various storage backends (e.g., Docker registries, local directories, OCI archives, podman/docker daemon storage), delete images from registries, and perform cryptographic operations like signing and verifying images. Unlike full container engines, skopeo operates at a lower level, directly interacting with image manifests and layers. This makes it particularly useful for tasks such as migrating images between different registries, creating local backups of remote images, or managing images in air-gapped environments where direct manipulation of image data is needed without a running container runtime.

skopeo relies on the containers/image library for its core functionality. While powerful, direct manipulation of image registries requires careful handling of credentials and understanding of image manifests.
Improper use, especially with options like --insecure-policy or disabling TLS verification, can compromise security.

skopeo uses a URI-like syntax to specify image locations, known as 'transports'. These prefixes indicate where the image is located:
docker:// - A Docker-compatible registry (e.g., docker.io/library/ubuntu)
containers-storage:// - The local image store managed by podman or buildah (e.g., containers-storage:localhost/my-image)
oci:// - An OCI layout directory (e.g., oci:/path/to/oci/layout:tag)
dir:// - A directory with a single image, often used for local backups (e.g., dir:/path/to/image-dir)
docker-daemon:// - Images stored in a local Docker daemon (e.g., docker-daemon:ubuntu:latest)

skopeo emerged from the need for a standalone tool to manipulate container images without requiring a full container runtime or daemon. It is part of the broader containers/image project, which provides libraries for working with container images, registries, and signatures. Its development emphasizes compliance with OCI (Open Container Initiative) image specifications, making it a flexible tool in the modern container ecosystem.

podman(1), docker(1), buildah(1), crictl(8)