Managed Image Deprecation Strategy
Purpose
Defines how CascadeGuard manages the lifecycle of hardened container images published to Docker Hub under cascadeguard/. Customers take production dependencies on these images — this policy ensures predictable support windows, clear deprecation signals, and sufficient migration time.
Versioning Granularity
Decided: rolling-tag-only (release-track/LTS level). CEO decision 2026-04-14.
CascadeGuard tracks lifecycle at the release-track/LTS level only. No per-patch deprecation.
- Patch releases within a track are rolling — the tag always points to the latest patch; no separate lifecycle event
- Lifecycle events fire only when an upstream release track reaches EOL or a new LTS/minor supersedes it
- Grace period: 3 months after the successor track reaches GA (applies to both Free and Paid tiers for track-level transitions)
Release-track definitions by upstream project
| Upstream project | ”Track” definition | Deprecation trigger |
|---|---|---|
| Node.js | LTS major (node:20, node:22) | New LTS GA + 3-month grace |
| Go | Minor (go:1.22, go:1.23) | New minor GA + 3-month grace |
| Python | Minor (python:3.11, python:3.12) | New minor GA + 3-month grace |
| Others | Per upstream release schedule | New track GA + 3-month grace |
What this means for users: node:20 always resolves to the latest 20.x.x patch — no lifecycle events on patch bumps. When node:22 becomes the current LTS, node:20 enters a 3-month deprecation window then EOL. Customers pinning node:20.15.0 should use the rolling track tag instead.
Rationale (CEO, 2026-04-14): Every competitor (Chainguard, Docker Official, Ubuntu, Bitnami, AWS ECR) uses this model — zero user education cost. Per-patch tracking adds engine complexity with no market precedent. Differentiation comes from scan quality and actionable remediation.
Image Lifecycle States
| State | Meaning | Visibility |
|---|---|---|
| Active | Receiving security patches, rebuilt on schedule | Catalog, Dashboard, Docs site |
| Deprecated | Still available but no longer rebuilt; migration recommended | Amber badge in catalog, scan warnings, docs site |
| EOL | Removed from active registry after grace period | Redirect to replacement, docs site |
Support Windows
Free Tier
- Latest supported track: Always active
- Previous supported tracks: Supported for 90 days after a new track is published
- Rationale: Competitive with Chainguard (zero legacy on free), keeps maintenance footprint tight, creates clear incentive to upgrade
Premium Tier (future)
- Extended support: previous tracks supported for 180 days
- Extended support beyond 180 days available on request
- Custom notification channels (webhook, Slack)
- Priority rebuild requests
Note on “supported version”: CascadeGuard images span heterogeneous upstream versioning (Node 20→22 is major, Go 1.21→1.22 is minor). The policy uses “release track” rather than “minor version” to remain version-scheme-agnostic.
Deprecation Timeline
- T+0 — New track published → previous track enters deprecation window; amber badge appears, notification sent to subscribers.
- T+2 months — Reminder notification: “1 month remaining” (free tier)
- T+90 days (free) / T+180 days (premium) — Track reaches EOL
- T+90/180 days + 30 days — Image removed from active registry
Upstream Deprecation (Docker Hub)
When Docker Hub officially deprecates an image (e.g., openjdk):
- CascadeGuard marks the image deprecated immediately, with a recommended replacement where available
- A 90-day grace period applies before EOL, regardless of tier
- Users are notified via standard lifecycle notification channels
User Notifications
- Free users: lifecycle state change notifications via email
- Premium users: email plus configurable webhook and Slack integrations
- Users opt in to notifications per image via their dashboard
Private Registry (Future)
A private registry at registry.cascadeguard.com is planned to gate premium and extended-support images. This is a prerequisite for the paid tier but not for the free-tier deprecation policy.
Competitive Positioning
| Provider | Free Support | Paid Support |
|---|---|---|
| Chainguard | Rolling latest only, zero legacy | Extended via paid plan |
| Docker Hub Official | No formal SLA | Docker Scout advisories |
| CascadeGuard | Latest + 90 days previous track | Latest + 180 days previous track |
Our 3-month free window is meaningfully more generous than Chainguard’s rolling-only model while keeping maintenance manageable.