docker pull Command Reference
Download an image from a registry.
docker pull fetches an image and its layers from a registry into the local store. Without an explicit tag it pulls :latest. For reproducible builds you can pull by digest (image@sha256:...) so the bytes never change.
Common flags
-a, --all-tags- download all tagged images in the repository--platform- pull for a specific platform, e.g. linux/arm64-q, --quiet- suppress verbose output--disable-content-trust- skip image signature verification (default true)
Example
shell
docker pull node:20-alpine
docker pull --platform linux/amd64 ghcr.io/myorg/base@sha256:${BASE_DIGEST}In CI
Pin base images by digest to make builds deterministic and immune to a moving tag. "toomanyrequests: You have reached your pull rate limit" on Docker Hub means anonymous rate limits were hit; authenticate with docker login or pull from a mirror.
Key takeaways
- Pull by digest (image@sha256:...) for reproducible, immutable inputs.
- Authenticate to avoid Docker Hub anonymous pull rate limits in CI.
- --platform pulls a specific architecture variant of a multi-arch image.
Related guides
docker push Command ReferenceReference for docker push in CI: publish a tagged image or all tags to a registry, with notes on authenticati…
docker images Command ReferenceReference for docker images in CI: list local images with --filter, --format, and -q to inspect or script ove…
docker login Command ReferenceReference for docker login in CI: authenticate to a registry with -u and --password-stdin to avoid leaking cr…