[sneak]

Unlike git commit hashes, docker image tags can be overwritten by the maintainer at any time, even if they map to a hit commit hash.

[larsla]

You can address image layers by sha256 hash. Do a docker pull of the image and the log will tell you the hash. Then you can do docker pull myimage@sha256:abc123def456...... I usually use these in my deployments since they can't be modified, it will require a new deploy.