Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter II - Local / 02. Containers / Container Enumeration

Go Templates

Docker uses Go templates in docker inspect --format.

Go templates are not a command execution primitive. They are a way to extract structured fields from Docker's JSON objects.

They matter because they quickly reveal mounts, environment variables, network settings, image commands, labels, and secrets.


Basic Usage

Inspect a container:

docker inspect CONTAINER_ID

Use a format string:

docker inspect --format '{{ .Name }}' CONTAINER_ID

Dump the full object as JSON:

docker inspect --format '{{ json . }}' CONTAINER_ID

Dump the raw object representation:

docker inspect --format '{{printf "%s" .}}' CONTAINER_ID

Useful Fields

Container ID:

docker inspect --format '{{ .ID }}' CONTAINER_ID

Name:

docker inspect --format '{{ .Name }}' CONTAINER_ID

Environment:

docker inspect --format '{{ json .Config.Env }}' CONTAINER_ID

Entrypoint and command:

docker inspect --format '{{ json .Config.Entrypoint }} {{ json .Config.Cmd }}' CONTAINER_ID

Exposed ports:

docker inspect --format '{{ json .Config.ExposedPorts }}' CONTAINER_ID

Mounts:

docker inspect --format '{{ json .Mounts }}' CONTAINER_ID

Network settings:

docker inspect --format '{{ json .NetworkSettings.Networks }}' CONTAINER_ID

Privileged flag:

docker inspect --format '{{ .HostConfig.Privileged }}' CONTAINER_ID

Capabilities:

docker inspect --format '{{ json .HostConfig.CapAdd }} {{ json .HostConfig.CapDrop }}' CONTAINER_ID

Security options:

docker inspect --format '{{ json .HostConfig.SecurityOpt }}' CONTAINER_ID

PID mode:

docker inspect --format '{{ .HostConfig.PidMode }}' CONTAINER_ID

Network mode:

docker inspect --format '{{ .HostConfig.NetworkMode }}' CONTAINER_ID

Why It Matters

Go templates help answer:

  • Is this container privileged?
  • Are host directories mounted?
  • Is the Docker socket mounted?
  • Are secrets stored in environment variables?
  • Is host networking enabled?
  • Is host PID mode enabled?
  • Were dangerous capabilities added?
  • Are AppArmor/seccomp options disabled?

Remediation

Do not rely on hidden Docker configuration.

Defenders should regularly inspect running containers for:

Privileged=true
/:/host mounts
/var/run/docker.sock mounts
host network
host PID
dangerous capabilities
disabled seccomp/AppArmor
secrets in environment variables

Go templates are a convenient audit interface for these checks.