What is the difference between image tags and digests?

Image tags are human-readable labels attached to a specific image version, like nginx:1.25 or myapp:latest. Tags are mutable — the same tag can be reassigned to a different image ID over time. This is why relying on :latest in production is dangerous — the image it points to can change without notice. Image digests are immutable, cryptographic SHA256 hashes of the image content: nginx@sha256:abc123.... Using a digest guarantees you always get the exact same image bytes, regardless of what the tag points to. Find a digest: docker images --digests nginx or docker inspect --format "{{.RepoDigests}}" nginx:1.25. Pull by digest: docker pull nginx@sha256:abc123.... In production Kubernetes manifests, using digests is a security best practice: image: nginx@sha256:abc123... — prevents tag mutable hijacking (tag confusion attacks where an attacker pushes a malicious image with the same tag). CI/CD best practice: build image → get digest from push output → deploy using digest. Tools like crane and skopeo help manage image digests. Content trust (DOCKER_CONTENT_TRUST=1) enables Notary-based image signing for verifying image authenticity.