Container Registry Management and Image Lifecycle

Tagging conventions, vulnerability scanning, retention policies, and registry options.

Updated March 30, 2026 2 views

Tagging strategy

:latest — never use in production manifests. It is mutable and changes silently.
:1.4.2 — semantic version. Immutable. Use in production deployments.
:main-abc1234 — branch + commit SHA. Good for CI/CD pipelines and staging deployments.
:sha-abc1234def5 — full digest. Most reproducible. Used in secure supply chain pipelines.

Vulnerability scanning

Integrate Trivy or Grype into CI — fail the build on HIGH or CRITICAL CVEs. Scan images on push via registry hooks (ECR scanning, Docker Hub scanning). Rebuild base images on a schedule to pick up OS patches even when application code has not changed.

Retention policies

Untagged images accumulate quickly in active registries. Set lifecycle rules: delete untagged images older than 7 days; keep only the last 10 tagged versions per repository.

Registry options

AWS ECR — deep IAM integration, private, OCI-compliant.
GitHub Container Registry (ghcr.io) — integrated with GitHub Actions, free for public repos.
Harbor — open-source, self-hosted, with built-in scanning and replication.

Container Registry Management and Image Lifecycle

Tagging strategy

Vulnerability scanning

Retention policies

Registry options

Related articles

Secure Coding — OWASP Top 10 for Backend Engineers

Multi-Tenancy Patterns — Database-per-Tenant, Schema-per-Tenant, and Row-Level

REST API design principles we follow

Observability — Logs, Metrics, and Traces