Skip to main content David Edelstein's Blog

ECR Image Inspector

Published: 2024-02-29
David Edelstein

I was trying to investigate a base image for an old image I had in ECR. The image was built with an ARG for the base, so I wanted to see if I could figure out what was setup at build time for that old image. I was mostly unsuccessful :(. Although some of the scripts below were interesting

Install awscli - for this user only b/c I don’t have global permissions

pip install awscli --user

Export required secrets. copy paste from control tower for this account+role


Configure awscli with export variables

python -m awscli configure

Login to docker

python -m awscli ecr get-login-password | docker login -u AWS --password-stdin https://$

Pull the image


Inspect using basic tools!

docker inspect $IMAGE

Unfortunately this tells you only strange information about file system etc as resolved by hash. It doesn’t tell you the base image’s name.

So try to use dfimage from alpine

Remember to use // for a windows pc!

alias dfimage="docker run -v //var/run/docker.sock:/var/run/docker.sock --rm alpine/dfimage"


This recovers the dockerfile! But it doesn’t tell me the base image.

At this point I gave up and just hardcoded a new working image and got the project to work this way.