Moving docker images from one container registry to another

How to copy Docker Hub images into your private Azure Container Registry (ACR).

Paulo Gomes

In a business, when consuming public docker images, you may want to sanitise them, running some processes before putting them to use. This process could be used for:

  • Standardising configuration.
  • Installing required software/packages.
  • Checking for vulnerabilities and take snapshots of all dependency versions.
  • Validating OSS License compliance.
  • Scanning for malware.
  • OS-level patching.

Generally that would result in “Golden Images” or simply base images that would be white-listed for internal consumption. I won’t be focusing on why or how to do any of the above, as it could be quite specific. However, below I will just cover the “how to” automate the process of re-tagging public images so you can push them into your internal CR.

In order to make push images into a registry, you need to authenticate against it. For Azure ACR, you can either use the docker login command:

docker login –username USER_NAME –password PASSWORD

Or the azure CLI command:

az acr login -n ACR_NAME -g RESOURCE_GROUP_NAME –username USER_NAME –password PASSWORD

The re-tagging command takes place locally, so before you can do that, you need to pull the required images locally.

You can either pull all tags of a given image:

docker pull microsoft/dotnet -a

Or make this more storage-and-time efficient, finding the tags you want for that docker image and executing the pull command to download only them.

Once you have the required images locally, you can add new tags to them with docker tag. Here’s a bash script to help with that:

Note that I use Go Templates in the docker images command, to build the commands I will need to execute.

For each image found locally based on the original_image that also matches the filter defined, the result will be:


Then, I “grep out” anything that is contained in the grep_filter. For example, I do not want to push the tag latest, nor any tag containing the words bionic, nanoserver or deps.

As a last thing, I execute all the commands, which will then re-tag and push each one of the images to the private ACR.

Wrap Up

This can be especially handy when you are putting in place an Image Assurance within a company-wide. Note that alternative approaches exist, for example, using the original Dockerfiles (when available) to trigger the process of generating such images. However, I pursued the approach above as it felt easier to automate whilst keeping a direct connection to publicly available docker images.

Leave a Comment

Your email address will not be published. Required fields are marked *