az acr repository show --name <registry-name> --image <repository>@sha256:<digest>Container image digest
the immutable sha256 reference that identifies the exact container image manifest Azure pulls during deployment
Source: Microsoft Learn - About registries, repositories, images, and artifacts Reviewed 2026-05-12T00:00:00Z
- Exam trap
- Treating Container image digest as a label instead of checking the owning resource, scope, identity, and live configuration.
- Production check
- Can you identify the exact Azure resource and owner responsible for Container image digest?
Article details and learning context
- Aliases
- None listed
- Difficulty
- intermediate
- CLI mappings
- 3
- Last verified
- 2026-05-12T00:00:00Z
Understand the concept
In plain English
Container image digest is an immutable sha256 reference that points to one exact image manifest in a registry. In Azure, teams see it when a team pins a Container Apps, AKS, or Azure Container Instances deployment to the artifact that was approved, scanned, and released. It turns a vague deployment or policy discussion into a specific value that operators can verify in portal views, CLI output, or logs. The practical question is what it means, which resource owns it, which environment uses it, and what proof makes the next change safe.
Why it matters
Container image digest matters because it is the strongest proof that production is running the exact artifact the team approved. When teams misunderstand it, mutable tags can drift, rollback can pull the wrong build, and security teams may be unable to connect a vulnerability finding to a live workload. A precise glossary entry gives architects, developers, security reviewers, and operators the same vocabulary for design reviews, change tickets, and incidents. It connects the Azure feature to ownership, measurable objectives, runbook checks, and audit evidence. That shared view helps teams make safer choices under pressure, prove compliance quickly, and avoid treating a production control as a portal-only detail.
Official wording and source
An immutable sha256 content address that identifies one exact container image manifest in a registry.
Technical context
Technically, Container image digest is the content address for a registry manifest, not a friendly release label. Engineers verify it through ACR repository metadata, deployment image references, digest-based pull strings, scan results, pull events, and release approvals. Important fields include registry login server, repository, digest, manifest media type, image tag, architecture, scan status, retention state, and consuming workload. In production reviews, capture subscription, resource group, region, identity, deployment name, and rollback notes before changing it. That context keeps troubleshooting tied to facts rather than assumptions.
Exam context
Compare with
Where it is used
Where you see it
- You see Container image digest in container registries, deployment manifests, Kubernetes events, and image scan reports when confirming immutable sha256 digest, manifest, repository, and pulled artifact for release, audit, or incident evidence.
- You see Container image digest during troubleshooting when a tag points to different content than expected and operators must connect portal state, CLI output, logs, metrics, owners, and rollback notes.
- You see Container image digest in architecture reviews when teams decide how deployments pin exact container image content, how evidence is gathered, and how it affects security, reliability, operations, cost, and performance.
Common situations
- Use Container image digest during design reviews to connect the Azure concept to an owner, environment, and measurable production outcome.
- Inspect Container image digest before releases, audits, or incidents so the team works from current Azure evidence instead of assumptions.
- Automate repeatable checks for Container image digest when the same workload pattern appears across development, test, and production.
- Document how Container image digest affects rollback, security review, support escalation, and long-term governance.
Illustrative Azure scenarios
These examples show how the concept can affect design and operations. They are illustrative scenarios, not customer claims.
Scenario 01 Digest-pinned release for mobile banking Scenario, objectives, solution, measured impact, and takeaway.
Fincrest Bank ran a customer API on Azure Container Apps and needed to prove every production revision used the exact image approved by security.
- Pin production deployments to immutable image digests
- Cut release verification time below 20 minutes
- Keep approved rollback artifacts for 60 days
- Link vulnerability findings to running revisions
The platform team changed the release process so build pipelines pushed images to Azure Container Registry with a unique tag, captured the resulting sha256 digest, and wrote that digest into the Container Apps deployment manifest. Release tickets stored the registry, repository, tag, digest, scan result, approver, and rollback digest. Azure RBAC limited who could push or delete production images, while repository attributes protected approved artifacts from accidental modification. Operators used Azure CLI checks to compare the digest in ACR with the digest referenced by the active revision before traffic moved. Defender findings were triaged by digest, not by tag, so security could determine whether a vulnerable image was actually running. The runbook included rollback criteria and a retention rule that preserved the prior good digest for two release cycles.
- Release verification fell from 75 minutes to 14 minutes
- Zero production rollouts used mutable latest tags
- Security matched critical findings to live revisions within 10 minutes
- Rollback images remained available for every audited release
A digest turns image approval into verifiable runtime evidence instead of a trust-based tag conversation.
Scenario 02 Healthcare rollback after base image patching Scenario, objectives, solution, measured impact, and takeaway.
AlpineMed Clinics operated AKS services for appointment scheduling and needed safer rollback after monthly base image patching.
- Patch base images within 48 hours of approval
- Prove the active pod image after each rollout
- Reduce failed rollbacks caused by tag drift
- Preserve audit evidence for regulated workloads
Engineers kept human-friendly tags for release notes but required deployment manifests to reference the image digest promoted by the pipeline. Azure Container Registry stored the patched images, and the pipeline exported repository, tag, digest, build ID, and scan status into a release evidence file. AKS deployment templates consumed the digest form of the image reference, while admission checks rejected images from unapproved registries. During the first rollout, operators compared pod specs, ACR repository metadata, and vulnerability findings before closing the change. When one microservice showed higher error rates, the team rolled back to the previous digest instead of searching for an old tag. The incident review updated the runbook to include digest checks before and after each node pool rollout.
- Monthly patch compliance improved from 61 percent to 96 percent
- Rollback time dropped from 42 minutes to 9 minutes
- No service rolled back to an unintended image version
- Audit packets contained digest evidence for every regulated service
Digest-based deployment gives healthcare teams a reliable rollback target when tags alone are not trustworthy.
Scenario 03 Manufacturing image provenance for plant systems Scenario, objectives, solution, measured impact, and takeaway.
BrightForge Manufacturing deployed edge-connected analytics services and needed proof that only approved images reached plant-facing container workloads.
- Block unapproved external image pulls
- Trace each deployment to build and scan evidence
- Shorten plant incident triage by 30 percent
- Retain production digests for quarterly audits
The architecture team centralized images in Azure Container Registry and required every production deployment to reference a digest captured after scanning. Build pipelines generated SBOM files and attached scan summaries to the same release record as the digest. Container Apps environments pulled images using managed identity, and network rules restricted registry access to approved subnets. Operators maintained a digest inventory for each plant workload, including owner, region, active revision, rollback digest, and monitoring window. When an outage investigation started, support no longer asked which tag was deployed; they compared the active digest against the release evidence and ACR metadata. Cleanup automation kept old development tags short-lived but preserved audited production digests. The team also recorded owner, approval window, rollback trigger, and monitoring evidence so support could repeat the process.
- External registry pulls from production dropped to zero
- Incident image identification improved from 35 minutes to 6 minutes
- Quarterly audit sampling found complete digest evidence
- Registry cleanup saved 18 percent of stored image capacity
For plant systems, a container image digest is the anchor that connects build provenance to production operations.
Azure CLI
Use Azure CLI for Container image digest when you need repeatable evidence, safe discovery, and scriptable checks across subscriptions, environments, and incidents.
Useful for
- Confirm the Azure resource, scope, and current state related to Container image digest before a production change.
- Collect repeatable evidence for release review, incident triage, audit response, or owner handoff.
- Compare expected configuration with live output across environments without relying on portal screenshots.
Before you run a command
- Run az account show first and confirm tenant, subscription, and operator identity before collecting or changing evidence.
- Confirm resource group, resource name, region, environment, and owner so output is not mistaken for a different workload.
- Start with read-only commands, protect secrets in output, and get approval before running mutating, security-impacting, or cost-impacting commands.
What the output tells you
- Output shows whether Container image digest exists at the expected Azure scope and whether names, IDs, locations, or states match the design.
- Returned fields help separate configuration drift, access problems, quota limits, dependency failures, and application behavior during troubleshooting.
- Differences between expected and actual output create evidence for rollback, owner follow-up, policy review, or support escalation.
Mapped commands
Azure Container Registry image verification
directaz acr repository show-tags --name <registry-name> --repository <repository> --detailaz acr repository update --name <registry-name> --image <repository>@sha256:<digest> --write-enabled falseArchitecture context
A container image digest is the immutable reference I trust when proving exactly what artifact is running. Tags are convenient, but a digest ties deployment to a specific manifest and protects production from silent tag movement. Architecturally, digest pinning connects CI/CD, registry governance, vulnerability scanning, rollback, and admission policy. I expect release evidence to include the registry, repository, tag, digest, build run, scan result, and environment where it was deployed. In AKS, Container Apps, and Container Instances, the digest helps separate image drift from configuration drift during incidents. Good teams promote by digest, keep rollback digests available, and avoid relying on mutable labels for regulated or high-change workloads.
- Security
- Security for Container image digest focuses on digest pinning, trusted registries, vulnerability results, repository locks, image signing, pull identity, and who can delete manifests. Review managed identities, RBAC assignments, private networking, secrets, policy exemptions, audit logs, and the exact people or automation that can change the setting. Prefer least privilege, approved repositories, documented break-glass access, and evidence captured before production changes. Watch for public endpoints, stale credentials, broad Contributor access, unreviewed images, or logs that reveal sensitive values. The security goal is to make misuse visible early and make every exception traceable to an owner, expiration date, business reason, and misuse signal.
- Cost
- Cost for Container image digest comes from registry storage, duplicate layers, retained rollback artifacts, geo-replication, scan volume, and wasted rebuilds caused by unclear image references. Some charges are direct, but many costs appear as incident response, duplicate environments, longer deployments, excessive telemetry, or support time caused by unclear ownership. Review budgets, tags, retention policies, data volume, region choices, automation frequency, and monitoring ingestion before scaling the design each month. Tie every cost increase to a business reason, expected duration, and measurement window. This lets finance distinguish intentional investment from waste and helps engineers avoid small configuration choices becoming monthly variance. Review trends before renewals.
- Reliability
- Reliability for Container image digest depends on registry availability, retained rollback digests, tag-to-digest mapping, architecture compatibility, and image pull success. Operators should know the expected healthy state, dependencies, failure symptoms, alert thresholds, and rollback path before a change window opens. Monitor resource state, logs, metrics, quota, latency, dependency health, and user-facing errors rather than relying on a portal screenshot alone. Test the failure path where possible, including denied access, unavailable dependencies, bad configuration, and restoration from the previous known-good state. Good reliability practice turns the term into an observable control that supports faster recovery and fewer repeated incidents. Review evidence after each release.
- Performance
- Performance for Container image digest is about image size, layer reuse, pull latency, registry location, digest availability, and startup behavior during scale events. Measure signals that users or workloads actually feel, such as startup time, latency, throughput, error rate, queue depth, CPU, memory, pull duration, moderation delay, or API response time. Avoid tuning one setting in isolation when identity, network path, region, cache state, dependency behavior, and resource limits may also influence results. Keep baseline measurements before and after changes so regressions are visible. The best performance reviews connect the term to a real bottleneck instead of the most obvious Azure setting.
- Operations
- Operationally, Container image digest belongs in runbooks, release notes, dashboards, and handoff checklists, not only in an engineer's memory. Teams should know which portal blade, CLI command, log query, metric, deployment file, or ticket proves the current state. Capture before-and-after evidence with subscription, resource group, region, resource IDs, owner, monitoring window, and rollback trigger. Use naming standards and tags so support teams can find the right resource during incidents. The practical operations win is repeatability: any qualified operator should be able to inspect, explain, and safely change it without guessing. Record the outcome for service reviews, audits, and accountable owners.
Common mistakes
- Treating Container image digest as a label instead of checking the owning resource, scope, identity, and live configuration.
- Copying a command from another environment without validating subscription, resource group, region, and safety impact.
- Closing an incident or release without saving the evidence that proves the setting was correct after the change.