A pkg:docker/... PURL identifies a container image by name and digest or tag, but Docker images aren’t distributed as single downloadable files. They are composed of multiple layers, each stored as a separate blob in a Docker registry and retrieved via the Docker Registry HTTP API v2.

Key reasons:

No canonical file: A Docker image isn’t a .tar.gz or .zip; it’s a manifest + config + N layers.

Layered, digest-addressed architecture: Each part of the image must be downloaded individually by digest (e.g., sha256:abc...) via authenticated API requests.

Authentication required: Docker Hub and others enforce token-based authentication, even for public images.

Toolchain needed: Tools like docker pull, skopeo, or crane orchestrate these multi-step fetches - no single URL works on its own.

Hence, a Docker PURL does not map to a static downloadable URL, and trying to force one goes against the registry design.