> For the complete documentation index, see [llms.txt](https://docs.arnica.io/arnica-documentation/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.arnica.io/arnica-documentation/inventory/container-images.md).

# Container Images

Requires a container registry integration - see [Container Integrations](/arnica-documentation/getting-started/container-integrations.md).

## Automatic Labeling Policy

To ensure every Docker image is traceable back to its Dockerfile and source code repository, configure an **Auto-Labeling** policy.

<figure><img src="/files/H3Iz9YCA87xY9cQD0sEh" alt=""><figcaption><p>Policy definition</p></figcaption></figure>

1. Go to **Admin - Policies**, expand **Code Risk**, then select **Rules**.
2. Create a new rule with the following configuration:
   * **Trigger**: Pull Request Created
   * **Conditions**: Add conditions to limit which repositories, organizations, or products participate. Discuss the scope with affected developers before enabling broadly.
   * **Action**: **Tag all Dockerfiles**
3. Under the **Tag all Dockerfiles** action, enable the following OCI annotations:
   * `org.opencontainers.image.source`
   * `org.opencontainers.image.path`
   * (Optional) Add a **Custom Message** to display in PR comments
4. Give the rule a name, save, and toggle it **On**.

{% hint style="info" %}
OCI annotations let you trace each image back to the exact Dockerfile path and Git commit, improving supply chain auditability. See the developer-facing guide: [Adding OCI Tags to Docker Images](/arnica-documentation/developers/adding-oci-tags-to-docker-images.md).
{% endhint %}

## Viewing Container Images

Go to **Inventory - Container Images** to browse all synced images. Click any row to see its recent versions.

Arnica scans the last 20 versions per image each day and marks the most recent as the latest. Versions are sorted in the following order:

1. **`latest` tag** - always appears first; if multiple exist, most recently pushed wins
2. **Semantic version tags** - e.g. `1.2.3`, `2.0.0-beta`; higher versions rank first; leading `v` is stripped automatically
3. **Date-based tags** - e.g. `2025-09-15`; newer dates appear first
4. **Push time fallback** - everything else is sorted by when it was pushed, newest first

## Mapping Images to Source Code

Arnica can automatically or manually map images back to their source Dockerfiles.

### Automatic mapping

| Method                                                                                                       | Assignment type | Confidence |
| ------------------------------------------------------------------------------------------------------------ | --------------- | ---------- |
| **Statistical matching** - compares image config history against Dockerfile lines in the codebase            | `Lines`         | Medium     |
| **Label-based matching** - uses `org.opencontainers.image.source` and `org.opencontainers.image.path` labels | `Labels`        | High       |

Label-based matching requires the source repositories to be visible to Arnica after a full inventory scan. See [Adding OCI Tags to Docker Images](/arnica-documentation/developers/adding-oci-tags-to-docker-images.md) for setup.

### Manual mapping

In **Inventory - Container Images**, click an image and select a repository from the **Link to repository** dropdown. If Arnica detected Dockerfile files in that repository during the last inventory scan, a second dropdown lets you select the specific Dockerfile - useful for monorepos where a Dockerfile lives alongside the app it builds.

{% hint style="info" %}
To revert to automatic mapping at any time, click the **Auto** radio button. Changes are saved automatically.
{% endhint %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.arnica.io/arnica-documentation/inventory/container-images.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.