Is there a way to find what a layer was made from only with its sha?

Question

This docker image https://hub.docker.com/layers/hseeberger/scala-sbt/8u222_1.3.5_2.13.1/images/sha256-c332b90d6141f34517dec9285601b246f4df7861d421d1fb8cc70ee157a098f2

does not use the usual FROM as a base, but rather ADD file:fdf0128645db4c8b990073dc4fe3fabad50411032c9aa4f86538d46e0e8f158f in /

Is there a way to see what this layer was build from / what are its contents / basically make sure that it is safe to run?

Answer 1

I don't know of an automated way. But the image is based on an OpenJDK image and I found the same hash in this image https://hub.docker.com/layers/openjdk/library/openjdk/8u222-stretch/images/sha256-c9170435c6535402241fc24cd9b426aa3db527be345231147775ad83ba145705?context=explore

The OpenJDK image was published on Oct 17th 2019 and because it has 'stretch' in the name, I guessed that the base image probably was Debian, I found the same hash in the Debian image from Oct 14th 2019 https://hub.docker.com/layers/debian/library/debian/stretch-20191014/images/sha256-06888500a6e8fc2e2a06ddf83417b10660d457b1ba1e4a06bdcd427cfd394b31?context=explore

So the base image is the official debian:stretch-20191014 image. The ADD command is often used to create the official OS base images, since you can create a full filesystem from a single tar file.