# Inspecting Docker Images ## About When building Spring Boot applications for containerized deployment, it's common to package them as Docker images. But the way these images are built and what they contain can greatly impact performance, security, and maintainability. **Inspecting Docker images** involves analyzing the image’s internal structure: its layers, file system, configuration metadata, embedded application artifacts (like JARs), and runtime setup. Tools like `dive`, `docker history`, and `docker inspect` allow developers to gain visibility into how Spring Boot applications are built and shipped in container form. ## Why It Matters ? * **Understand What Goes Inside**: A Spring Boot image often includes our application JAR, dependencies, configs, and even a base OS. Inspection helps verify what’s actually packaged. * **Optimize Image Layers**: Avoid unnecessary bloat caused by repetitive or misplaced build steps (e.g., `COPY` commands, Maven caches). * **Troubleshooting & Debugging**: Pinpoint missing files, misconfigured entrypoints, or wrong permissions inside the image. * **Security Auditing**: Check for unexpected tools, leftover secrets, or outdated libraries. * **CI/CD Confidence**: Verifies whether final production images match expectations set in Dockerfiles or Jib builds. ## What to Look For During Inspection of a Spring Boot Docker Image ?


Aspect	What to Look For	Why It Matters / Use Case
Application JAR	Is the JAR file (e.g., `hello-springboot.jar`) present in the expected path like `/app` or `/target`?	Validates that the build and copy steps succeeded. Missing JAR means the app won’t run at all.
Configuration Files	Are `application.properties` or `application.yml` files included? Are they in the right directory?	If these files are missing, environment-specific configs (DB URL, ports, etc.) won't be picked up.
Liquibase / Flyway Migrations	Check if migration scripts (e.g., `db/changelog.xml`) are copied into the image.	Without these, Liquibase or Flyway will fail silently or at runtime due to missing migration files.
Secrets or Credentials	Are there any `.env`, `.pem`, or credentials accidentally copied?	Avoid leaking secrets into images. They should be injected via environment variables at runtime instead.
Layer Size	Which layer adds the most size? Are there any large, unnecessary files?	Identifies optimization opportunities. For example, Maven cache might get added if `.dockerignore` is misconfigured.
Base Image	What is the base image used (e.g., `openjdk`, `eclipse-temurin`, `distroless`)?	Affects image size, startup time, and security posture. Distroless or slim images are better for production.
Permissions	Are file permissions and ownership correct (e.g., non-root user)?	Running apps as root is a security risk. Inspect `/home/nonroot` or UID/GID mappings.
Entrypoint / CMD	Is `ENTRYPOINT ["java", "-jar", "app.jar"]` correctly defined?	Ensures that the app starts automatically when the container is run.
Unwanted Files	Are `.git`, `test/`, `target/`, `.idea`, or `node_modules` present in final image?	These should be excluded using `.dockerignore`. Including them increases size and leaks internal structure.
Healthcheck or Labels	Are labels like `maintainer`, `version`, or healthcheck metadata added?	Helps in managing images during deployment and monitoring.
Build Artifacts	Is Maven or Gradle cache included?	May unnecessarily inflate image size; should be kept in builder stage only.

## Using Dive to Explore Spring Boot Docker Images To deeply inspect the internals of our Spring Boot Docker image such as layer-by-layer file changes, image composition, and efficiency the tool **Dive** is highly recommended. Dive provides a terminal-based interface to: * View each image layer and what it adds or removes * Analyze the image’s file system at any layer * Identify redundant or bloated layers (e.g., Maven caches, test files) * Detect config file locations, application JAR placement, and more * Measure image efficiency, especially in multi-stage builds This is especially useful when we want to: * Ensure our `application.properties`, Liquibase scripts, and compiled JAR are properly placed * Confirm that unwanted artifacts (e.g., `.git`, `.class` files, temp logs) are excluded * Debug runtime issues caused by misconfigured or missing files Refer to the Page for more details - [Use Case](/the-programmers-guide/containers-and-orchestration/containerisation/container-tools-and-utilities/image-analysis-and-debugging-tools/dive/use-case.md)

{% hint style="info" %} After inspecting the image, proper classpath updates can be done to locate the appropriate configuration files \['-cp','/app/WEB-INF/classes\:/app/WEB-INF/lib/*:/app/classes\:/app/libs/*:/app/resources/','-Dlogging.level.liquibase=DEBUG'] {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.pranaypourkar.co.in/the-programmers-guide/spring/deployment-and-packaging/inspecting-docker-images.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.