Image Lifecycle Policy
CascadeGuard publishes hardened container images that teams depend on in production. This page defines the official lifecycle policy — how long images are supported, how and when deprecation happens, and what action you need to take at each stage.
Image Lifecycle States
Every CascadeGuard image is in one of three states:
| State | Meaning | Where you see it |
|---|---|---|
| Active | Receiving security patches; rebuilt on schedule | Catalog, Dashboard, scan results |
| Deprecated | Available, but no longer actively rebuilt; migration recommended | Catalog (amber badge), scan warnings, email notification |
| EOL (End of Life) | Removed from active registry after grace period | Redirect to replacement image, this page |
Support Windows by Tier
What counts as a “supported version”? CascadeGuard tracks lifecycle at the release-track level — not individual patch releases. For Node.js this means LTS major lines (
node:20,node:22); for Go and Python it means minor lines (go:1.22,python:3.12). The rolling track tag (e.g.node:20) always resolves to the latest patch automatically. The deprecation clock starts only when the upstream project releases a new successor track — not on patch bumps within the same line.
Free Tier
| Image type | Support window |
|---|---|
| Latest supported version | Always supported (Active) |
| Previous supported versions | 90 days after a newer supported version is released |
Example: When node:22 ships, node:20 enters a 90-day deprecation window. At T+90 days, node:20 reaches EOL.
Paid Tier
| Image type | Support window |
|---|---|
| Latest supported version | Always supported (Active) |
| Previous supported versions | 180 days after a newer supported version is released |
Extended support beyond 180 days is available on request — contact your account team.
Paid tier also includes custom notification channels (webhook, Slack) and priority rebuild requests.
Deprecation Timeline
The following timeline applies when a new supported version is released. When discovery runs detect a new version, the published date is written to the state file and the previous version is automatically marked deprecated.
| Time | Event |
|---|---|
| T+0 | New version discovered; published date written to state file; previous version status set to deprecated; amber badge appears in catalog |
| T+0 | Email notification sent to users watching that image |
| T+60 days (Free) / T+150 days (Paid) | Reminder notification — “1 month remaining on [image]“ |
| T+90 days (Free) / T+180 days (Paid) | Image reaches EOL |
| T+90/180 + 30 days | Image removed from active registry |
| T+90/180 + 120 days | Digest purged entirely (no further pulls) |
Note: Digests for EOL images remain pullable for 90 days after EOL to allow time to migrate. After that, the digest is permanently removed.
What You Should Do
When an image is Deprecated (amber badge)
- Check the catalog or scan results for the
recommended_replacementfield — this tells you which image to migrate to. - Update your
images.yamlor Dockerfile to reference the replacement. - Run
cascadeguard scanto verify no deprecated images remain in your dependency tree. - Target migration before the EOL date shown in the catalog.
When an image reaches EOL
- Pulls of the EOL digest will continue to work for 90 days post-EOL.
- After 90 days, the digest is removed — any pipeline still referencing it will fail.
- If you need extended access beyond the grace period, contact support.
Upstream Deprecation Handling
CascadeGuard also tracks upstream deprecations from Docker Hub and other registries. When an upstream image is officially deprecated (e.g., openjdk):
- CascadeGuard marks the image
deprecatedimmediately, regardless of version age. - A
recommended_replacementis provided (e.g.,eclipse-temurin). - Scan worker flags
DEPRECATED_BASE_IMAGEfindings in Dockerfile scans. - A 90-day grace period applies before EOL, regardless of tier.
Upstream deprecations are announced on docker.com/blog and in the CascadeGuard changelog.
Staying Notified
Registered users can subscribe to lifecycle state changes for any image:
- Open the Dashboard and navigate to the Catalog tab.
- Click the image you want to track and enable Lifecycle notifications.
- You will receive email notifications at T+0 (deprecation) and T+60 days (Free) / T+150 days (Paid) (reminder).
Paid tier users can configure additional notification channels (webhook, Slack) from their account settings.
Questions or Exceptions
For questions about this policy, or to request a timeline exception, open an issue via the CascadeGuard support portal or reach out to your account team.
Automate with the CascadeGuard CLI
Using CascadeGuard Secure Images in production? Pair them with the CascadeGuard CLI to close the supply chain loop:
cg images— automatically detects when a base image is updated and triggers a signed rebuild of your downstream imagescg tools— pins and audits the GitHub Actions used in your build pipelines
Pull a secure base image and let CascadeGuard handle the rebuild loop when it changes.