Analyze image content with docker containers (preview)

2025-02-21

The Analyze image container scans images for sexual content, violence, hate, and self-harm with multi-severity levels. This guide shows how to download, install, and run a content safety image container.

For more information about prerequisites, validating that a container is running, running multiple containers on the same host, and running disconnected containers, see Install and run content safety containers with Docker.

Specify a container image

The content safety analyze image container image for all supported versions can be found on the Microsoft Container Registry (MCR) syndicate. It resides in the azure-cognitive-services/contentsafety repository and is named image-analyze.

The fully qualified container name is, mcr.microsoft.com/en-us/product/azure-cognitive-services/contentsafety/image-analyze. Append a specific container version, or append :latest to get the most recent version. For example:

Version	Path
Latest	`mcr.microsoft.com/azure-cognitive-services/contentsafety/image-analyze:latest` The `latest` tag pulls the latest image.
`1.0.0-amd64-preview`	`mcr.microsoft.com/azure-cognitive-services/contentsafety/image-analyze:1.0.0-amd64-preview`

Get the container image

Make sure you meet the prerequisites, including required hardware. Also see the recommended allocation of resources section for each content safety container.

Use the docker pull command to download a container image from Microsoft Container Registry:

docker mcr.microsoft.com/azure-cognitive-services/contentsafety/image-analyze:latest

Run the container

Use the docker run command to run the container.

Standard container
Disconnected container

The following table represents the various docker run parameters and their corresponding descriptions:

Parameter	Description
`{ENDPOINT_URI}`	The endpoint is required for metering and billing. For more information, see billing arguments.
`{API_KEY}`	The API key is required. For more information, see billing arguments.

When you run the content safety analyze image container, configure the port, memory, and CPU according to the requirements and recommendations.

Here's a sample docker run command with placeholder values. You must specify the ENDPOINT_URI and API_KEY values:

docker run --rm -it -p 5000:5000 --gpus all \
mcr.microsoft.com/azure-cognitive-services/contentsafety/image-analyze:latest \
Eula=accept \
Billing={ENDPOINT_URI} \
ApiKey={API_KEY}

This command:

Runs an image-analyze container from the container image.
Uses all available GPU resources (by specifying --gpus all). Content safety containers require CUDA for optimal performance. Learn more in host requirements and recommendations. Also make sure your host installs NVIDIA container toolkit.
Exposes TCP port 5000 and allocates a pseudo-TTY for the container.
Automatically removes the container after it exits. The container image is still available on the host computer.

To run disconnected containers (not connected to the internet), you must submit a request form and wait for approval. For more information about applying and purchasing a commitment plan to use containers in disconnected environments, see Use containers in disconnected environments in the Azure AI services documentation.

If you're approved to run the disconnected container, the following example shows the formatting of the docker run command to use, with placeholder values. Replace these values with your own values.

Placeholder	Description
`{IMAGE}`	The container image you want to use. For example: `mcr.microsoft.com/azure-cognitive-services/content safety-to-image:latest`
`{LICENSE_MOUNT}`	The path where the license is downloaded, and mounted. For example: `/host/license:/path/to/license/directory`
`{ENDPOINT_URI}`	The endpoint for authenticating your service request. You can find it on your resource's Key and endpoint page, on the Azure portal. For example: `https://<your-resource-name>.cognitiveservices.azure.com`
`{API_KEY}`	The key for your content safety resource. You can find it on your resource's Key and endpoint page, on the Azure portal.
`{CONTAINER_LICENSE_DIRECTORY}`	Location of the license folder on the container's local filesystem. For example: `/path/to/license/directory`

docker run --rm -it -p 5000:5000 \ 
-v {LICENSE_MOUNT} \
{IMAGE} \
eula=accept \
billing={ENDPOINT_URI} \
apikey={API_KEY} \
DownloadLicense=True \
Mounts:License={CONTAINER_LICENSE_DIRECTORY}

The DownloadLicense=True parameter in your docker run command downloads a license file to enable your Docker container to run when it isn't connected to the internet. It also contains an expiration date, after which the license file is invalid to run the container. You can only use a license file with the appropriate container that you're approved for. For example, you can't use a license file for a content safety-to-image container with a neural-image-to-content-safety container.

Once the license file is downloaded, you can run the container in a disconnected environment. The following example shows the formatting of the docker run command you use, with placeholder values. Replace these values with your own values.

Wherever the container is run, the license file must be mounted to the container and the location of the license folder on the container's local filesystem must be specified with Mounts:License=. An output mount must also be specified so that billing usage records can be written.

Placeholder	Value	Format or example
`{IMAGE}`	The container image you want to use. For example: `mcr.microsoft.com/azure-cognitive-services/content safety-to-image:latest`
`{MEMORY_SIZE}`	The appropriate size of memory to allocate for your container. For example: `4g`
`{NUMBER_CPUS}`	The appropriate number of CPUs to allocate for your container. For example: `4`
`{LICENSE_MOUNT}`	The path where the license is located and mounted. For example: `/host/license:/path/to/license/directory`
`{OUTPUT_PATH}`	The output path for logging. For example: `/host/output:/path/to/output/directory` For more information, see usage records in the Azure AI services documentation.
`{CONTAINER_LICENSE_DIRECTORY}`	Location of the license folder on the container's local filesystem. For example: `/path/to/license/directory`
`{CONTAINER_OUTPUT_DIRECTORY}`	Location of the output folder on the container's local filesystem. For example: `/path/to/output/directory`

docker run --rm -it -p 5000:5000 --memory {MEMORY_SIZE} --cpus {NUMBER_CPUS} \ 
-v {LICENSE_MOUNT} \ 
-v {OUTPUT_PATH} \
{IMAGE} \
eula=accept \
Mounts:License={CONTAINER_LICENSE_DIRECTORY}
Mounts:Output={CONTAINER_OUTPUT_DIRECTORY}

Content safety containers provide a default directory for writing the license file and billing log at runtime. The default directories are /license and /output respectively.

When you're mounting these directories to the container with the docker run -v command, make sure the local machine directory has set ownership to user:group nonroot:nonroot before running the container.

Here's a sample command to set file/directory ownership:

sudo chown -R nonroot:nonroot <YOUR_LOCAL_MACHINE_PATH_1> <YOUR_LOCAL_MACHINE_PATH_2> ...

Test the container

Once the container is up and running, you can validate its operation by sending a request to the REST endpoint deployed within the container. To do this, follow the steps in the quickstart. Note, you need to replace the endpoint URL with the Docker URL specific to your container deployment. Also, ensure that you're using host authentication, rather than key-based authentication.

Analyze image quickstart

Next steps

See the content safety containers overview
Review configure containers for configuration settings
Use more Azure AI containers