Docker uses Go templates in docker inspect --format.
Go templates are not a command execution primitive. They are a way to extract structured fields from Docker's JSON objects.
They matter because they quickly reveal mounts, environment variables, network settings, image commands, labels, and secrets.
Basic Usage
Inspect a container:
docker inspect CONTAINER_ID
Use a format string:
docker inspect --format '{{ .Name }}' CONTAINER_ID
Dump the full object as JSON:
docker inspect --format '{{ json . }}' CONTAINER_ID
Dump the raw object representation:
docker inspect --format '{{printf "%s" .}}' CONTAINER_ID
Useful Fields
Container ID:
docker inspect --format '{{ .ID }}' CONTAINER_ID
Name:
docker inspect --format '{{ .Name }}' CONTAINER_ID
Environment:
docker inspect --format '{{ json .Config.Env }}' CONTAINER_ID
Entrypoint and command:
docker inspect --format '{{ json .Config.Entrypoint }} {{ json .Config.Cmd }}' CONTAINER_ID
Exposed ports:
docker inspect --format '{{ json .Config.ExposedPorts }}' CONTAINER_ID
Mounts:
docker inspect --format '{{ json .Mounts }}' CONTAINER_ID
Network settings:
docker inspect --format '{{ json .NetworkSettings.Networks }}' CONTAINER_ID
Privileged flag:
docker inspect --format '{{ .HostConfig.Privileged }}' CONTAINER_ID
Capabilities:
docker inspect --format '{{ json .HostConfig.CapAdd }} {{ json .HostConfig.CapDrop }}' CONTAINER_ID
Security options:
docker inspect --format '{{ json .HostConfig.SecurityOpt }}' CONTAINER_ID
PID mode:
docker inspect --format '{{ .HostConfig.PidMode }}' CONTAINER_ID
Network mode:
docker inspect --format '{{ .HostConfig.NetworkMode }}' CONTAINER_ID
Why It Matters
Go templates help answer:
- Is this container privileged?
- Are host directories mounted?
- Is the Docker socket mounted?
- Are secrets stored in environment variables?
- Is host networking enabled?
- Is host PID mode enabled?
- Were dangerous capabilities added?
- Are AppArmor/seccomp options disabled?
Remediation
Do not rely on hidden Docker configuration.
Defenders should regularly inspect running containers for:
Privileged=true
/:/host mounts
/var/run/docker.sock mounts
host network
host PID
dangerous capabilities
disabled seccomp/AppArmor
secrets in environment variables
Go templates are a convenient audit interface for these checks.