How do I check if my local docker image is outdated, without pushing from somewhere else?

You can query the registry API for the image digest and compare it to that of what you've pulled.

$ cat digest-v2.sh#!/bin/shref="${1:-library/ubuntu:latest}"repo="${ref%:*}"tag="${ref##*:}"acceptM="application/vnd.docker.distribution.manifest.v2+json"acceptML="application/vnd.docker.distribution.manifest.list.v2+json"token=$(curl -s "https://auth.docker.io/token?service=registry.docker.io&scope=repository:${repo}:pull" \        | jq -r '.token')curl -H "Accept: ${acceptM}" \     -H "Accept: ${acceptML}" \     -H "Authorization: Bearer $token" \     -I -s "https://registry-1.docker.io/v2/${repo}/manifests/${tag}"$ ./digest-v2.sh library/busybox:latestHTTP/1.1 200 OKContent-Length: 2080Content-Type: application/vnd.docker.distribution.manifest.list.v2+jsonDocker-Content-Digest: sha256:d366a4665ab44f0648d7a00ae3fae139d55e32f9712c67accd604bb55df9d05aDocker-Distribution-Api-Version: registry/2.0Etag: "sha256:d366a4665ab44f0648d7a00ae3fae139d55e32f9712c67accd604bb55df9d05a"Date: Sun, 11 Oct 2020 21:04:59 GMTStrict-Transport-Security: max-age=31536000

You can compare that ETag or Docker-Content-Digest header to the registry reference on the image you've previously pulled:

$ docker image inspect busybox:latest --format '{{json .RepoDigests}}' | jq .[  "busybox@sha256:d366a4665ab44f0648d7a00ae3fae139d55e32f9712c67accd604bb55df9d05a"]$ docker image pull busybox:latestlatest: Pulling from library/busyboxDigest: sha256:d366a4665ab44f0648d7a00ae3fae139d55e32f9712c67accd604bb55df9d05aStatus: Image is up to date for busybox:latestdocker.io/library/busybox:latest

I've also been working on some Go APIs and CLI to work with more registries where you may need to pass different types of authorization. That project is at regclient/regclient and includes a regctl command.

$ regctl image digest --list busybox:latestsha256:d366a4665ab44f0648d7a00ae3fae139d55e32f9712c67accd604bb55df9d05a

If you are using Docker Hub you could use a Webhook to notify the docker host about a update, and take action over that.

Using the webhook would be the "simple" way to do it (I think) otherwise you would have to do some kind of crawling in the docker pull or as explained by @alebianco comparing some hashs or build/creation dates.

Here is the docs about it: https://docs.docker.com/docker-hub/webhooks/

there's an API available for the Docker Hub

You should be able to get the list of tags, and from there the manifest details

edit

I did some digging around, looks like they don't expose any kind of checksum of the image, it's manifest or the layers that compose it.

The closest thing i found is the creation date ... which i wouldn't suggest using if you're trying to make something remotely secure.

Anyway, you need to get an access token first

curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:library/ubuntu:pull"

extract the token from the response, then you can load the manifest of an image version

curl --header "Authorization: Bearer $TOKEN" https://index.docker.io/v2/library/ubuntu/manifests/latest

look into the history object of the json returned, you'll find a created property.

Then you can get your local image created date with

docker inspect --format "{{json .Created}}" ubuntu:latest

Compare the two and cringe away ...