Skip to main content

Overview

Pull Docker images from public or private registries. Supports automatic vulnerability scanning after pull completion and real-time progress streaming via Server-Sent Events.

Endpoint

Query Parameters

env
integer
Environment ID where the image will be pulled. Optional for local environments.

Request Body

image
string
required
Image name with optional tag or digest:
  • nginx:latest
  • ubuntu:22.04
  • registry.example.com/app:v1.0
  • nginx@sha256:abc123...
scanAfterPull
boolean
default:"true"
Run vulnerability scan after successful pull. Set to false to skip scan-on-pull when caller will handle scanning separately.

Authentication

Requires images:pull permission for the specified environment.

Registry Authentication

Authentication headers are automatically built using configured registry credentials. Private registries must be configured in Dockhand settings.

Response Format

Returns a job ID for progress tracking via SSE:
Connect to the SSE endpoint to receive progress updates:

Progress Events

Download Progress

Extraction Progress

Scan Progress (if enabled)

Scan Results

Complete

Error

Error Responses

403
object
Permission denied
error (edge)
object
Edge agent not connected

Edge Mode Support

For Hawser Edge environments, pull operations are proxied through the edge agent:

Tag Parsing

The endpoint intelligently parses image names with tags and digests:

Scan-on-Pull

Automatic vulnerability scanning after pull (if scanner is configured):

Usage Examples

Pull Public Image

Pull Private Registry Image

Pull with Digest

Stream Progress (JavaScript)

Audit Logging

Pull operations are automatically logged:

Notes

  • Supports both local and edge environments via Hawser
  • Registry authentication is automatic based on configured registries
  • Scan-on-pull respects environment scanner settings
  • Progress events are streamed in real-time via Server-Sent Events
  • Tag defaults to latest if not specified
  • Digest format bypasses tag resolution