6.4 Avoid image sprawl


Do not keep a large number of container images on the same host. Use only tagged images as appropriate.


Tagged images are useful to fall back from "latest" to a specific version of an image in production. Images with unused or old tags may contain vulnerabilities that might be exploited, if instantiated. Additionally, if you fail to remove unused images from the system and there are various such redundant and unused images, the host filesystem may become full and could lead to denial of service.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.


Keep the set of the images that you actually need and establish a workflow to remove old or stale images from the host. Additionally, use features such as pull-by-digest to get specific images from the registry.

Additionally, you can follow below set of steps to find out unused images on the system and delete them.

Step 1Make a list of all image IDs that are currently instantiated by executing below command:

docker images --quiet | xargs docker inspect --format '{{ .Id }}: Image={{ .Config.Image }}'

Step 2: List all the images present on the system by executing below command:

docker images

Step 3: Compare the list of image IDs populated from Step 1 and Step 2 and find out images that are currently not being instantiated.

Step 4: Decide if you want to keep the images that are not currently in use. If not delete them by executing below command:

docker rmi $IMAGE_ID



Default Value:

Images and layered filesystems remain accessible on the host until the administrator removes all tags that refer to those images or layers.

See Also


Item Details


References: 800-53|CM-7b.

Plugin: Unix

Control ID: 6652dbe1761dcef8624fb3778b3fd4042edf648f4b4f7c7f898c1c175e82ff71