Skip to main content
Docker Docker Hub Where the images you docker pull come from, and how to judge whether one is trustworthy.

Registry and naming

Docker Hub is Docker’s cloud image registry (a central store of images, much like npm is for Node packages). Each image lives in a repository, and tags within a repo distinguish versions. Full naming format: 
[registry]/[user or org]/[repo]:[tag]

python:3.12-slim                  # Docker Official Image (registry and library prefix omitted)
someuser/myapp:v1.0               # personal / org repo
myregistry.local:5000/test:1.0    # self-hosted registry
Omitting :tag equals :latest; avoid latest in Dockerfiles and production (see Choosing images).

Three trust tiers

Not every image is trustworthy. Look at three tiers:
TierHow to spot itMaintainer
Docker Official ImagesNo user prefix (python, ubuntu, postgres), official badgeCurated by Docker, follows Dockerfile best practices, near-zero CVEs
Verified Publisher”Verified Publisher” badge, vendor name in the pathCommercial vendor reviewed by Docker
Community imagesFormat username/image, no badgeIndividual users; judge by download count and reputation
Steps: check the path format (user prefix or not), confirm the badge on the Hub page, then look at download count and update frequency.

Public vs private

PublicPrivate
VisibilityAnyone can pull, no loginOnly authorized accounts
Free planUnlimited public repos1 private repo (free personal plan)

Login, push, pull

docker pull python:3.12-slim                 # pull an official image
docker pull someuser/myapp:v1.0              # pull a user repo

docker login                                 # log in (device code flow, browser confirm)
echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin   # CI, keeps password out of shell history

docker tag myapp:latest user/myapp:v1.0      # tag into the right format before push
docker push user/myapp:v1.0                  # push to your own repo
Official security advice: configure a credential store rather than leaving credentials in plaintext in ~/.docker/config.json.

Pull rate limits (as of 2026-06)

Account typePull limitWindow
Anonymous (not logged in)100 per IPv4 or IPv6 /64 subnetPer 6 hours
Authenticated free account200Per 6 hours
Paid plans (Pro / Team / Business)Unlimited
Exceeding the limit returns HTTP 429 (Too Many Requests). CI is the most likely to hit it; standard fixes: docker login then pull (raises you from 100 to 200), upgrade to a paid plan, or run a local pull-through cache (the official registry image in proxy mode).

Next

Reference: docs.docker.com/docker-hub/usage