Amazingly there isn’t a built-in mechanism to check if docker containers are up-to-date, you can only do a pull and see if anything is downloaded. By doing so the images are anyway updated, so if the container is recreated for any reason it will also use those new images.
There’s a tool called Skopeo which should do this, but I could not get it to run (the Go dependencies are too complex on my older Linux installation).
There’s also Watchtower which automates the checking but does not ensure images aren’t downloaded.
I decided to write my own bash script to read the local docker container / image details and compare them against the latest version in the repo using the API. This turned out to be pretty complex – in the case of Docker Hub because the URLs and authentication aren’t very intuitive, and in the case of Github because they use the newer manifest schema which requires multiple calls to get the information.
However… I got a script which works, confirming whether local images are up-to-date (at least for my set of containers).
My scenario is that I run this script each week with the settings to check all containers and only output those that are out-of-date. Any output is then sent to me by email so I can decide when to update.
It can be found on Github: https://github.com/pseudocoder/docker-check
Example output from my media server
% docker-check -a paperless-ng_gotenberg_1 (thecodingmachine/gotenberg) is up-to-date mariadb (linuxserver/mariadb:latest) is up-to-date wireguard (ghcr.io/linuxserver/wireguard) is up-to-date heimdall (linuxserver/heimdall:latest) is up-to-date plex (linuxserver/plex:latest) is up-to-date wordpress-gee-family (wordpress:latest) is up-to-date wordpress-pseudocode (wordpress:latest) is up-to-date cops (linuxserver/cops) is up-to-date paperless-ng_webserver_1 (jonaswinkler/paperless-ng:latest) is up-to-date filebrowser (filebrowser/filebrowser:latest) is up-to-date deluge (linuxserver/deluge) is up-to-date filerun (afian/filerun:latest) is up-to-date calibre-web (linuxserver/calibre-web) is up-to-date influxdb2 (influxdb:latest) is up-to-date syncthing (linuxserver/syncthing:latest) is up-to-date grafana (grafana/grafana:latest) is up-to-date paperless-ng_db_1 (postgres:13) is up-to-date paperless-ng_broker_1 (redis:6.0) is up-to-date paperless-ng_tika_1 (apache/tika) is up-to-date portainer (portainer/portainer-ce) is up-to-date