Skip to main content
Ask Linky AI ⌘K

How Chainguard Image Tags, Versions, and EOL Work

Updated

This article explains how Chainguard manages image versions, tags, and end-of-life (EOL) policies, including why specific versions may not be available and what to do in each case.

How Chainguard tags images

Chainguard images are published under three kinds of tags:

  • :latest: Always points to the most recent build of the newest supported major version. This tag is rebuilt whenever the image content changes (package updates, CVE patches). It is not a static reference.
  • Versioned tags (e.g., :3.12, :3): Track the latest patch within a specific version stream. :3.12 always reflects the newest patch of Python 3.12, not a specific release like 3.12.7.
  • Digest pinning (e.g., @sha256:abc123): A digest is a content-addressed reference to a specific image build. Digests do not change. Chainguard does not prune existing digests from the registry, so digest-pinned references remain valid indefinitely.

There is no tag that freezes on a specific upstream patch release. If you need reproducibility, use a digest.

Which versions does Chainguard build?

Chainguard builds and maintains the latest patch release of each actively supported upstream version stream, not every individual patch that has ever been released upstream.

For example, if Python has released 3.11.x, 3.12.x, and 3.13.x, Chainguard builds and maintains all three streams (assuming none are EOL). Within each stream, only the current latest patch is actively rebuilt. If you need a specific older patch and the current patch is newer, the supported path is to use the versioned stream tag, which gives you the latest patch with current security fixes applied.

Chainguard does not retroactively build versions that were already EOL when the image was added to the catalog. If an upstream project released a version before Chainguard started maintaining it, and that version had already reached EOL by that time, it will not be available.

What is EOL and how is it determined?

Chainguard follows endoflife.date to determine when an upstream version has reached end of life. When a version stream is marked EOL:

  • Chainguard stops rebuilding that version stream
  • The image accumulates CVEs without patches
  • The Vulnerabilities tab in the Console shows "no longer being scanned" for that tag

If you see an EOL date in the Console that differs from the upstream project's own website, it may be because endoflife.date and the upstream project use different support tier definitions. Chainguard follows endoflife.date.

Chainguard will not build new EOL versions, even on request. EOL software accumulates hundreds of CVEs per year and cannot be properly maintained.

What does "no longer being scanned" mean?

This message appears when a specific tag or image version is no longer being actively rebuilt. It means:

  • The version has been superseded (e.g., a patch version was replaced by a newer patch in that stream)
  • Chainguard has stopped producing new builds for that version
  • Vulnerability scanning stops because the image content is not changing

It does not mean the image was deleted. Existing digests remain available. It means you should move to the current version of that stream.

Finding available tags

To see what tags are available for an image, visit images.chainguard.dev and search for the image. You can also use chainctl images list to see tags in your org's catalog.

If you need a version that isn't available

Start by checking images.chainguard.dev to understand why the version isn't available, then follow the steps for your situation.

The version appears at images.chainguard.dev but is not in your org: Open a support ticket and request the tag be added to your organization. Include the exact image name and tag in your request.

The version does not appear at images.chainguard.dev: Check whether the upstream version has reached EOL by looking it up at endoflife.date.

  • If it is EOL: Chainguard does not build or maintain EOL versions. The right path is to upgrade to the latest supported version stream. If you have a hard dependency on the EOL version, contact your account team — some EOL versions may exist as unsupported legacy tags in the catalog depending on when Chainguard began maintaining that image, and they can check on your behalf.
  • If it is not EOL: The version may not yet be in Chainguard's build matrix, or may be a very recent upstream release still working through the build pipeline. Open a support ticket with the image name, the specific version you need, and your deadline. The team can confirm whether a build is planned and provide a timeline.

Need to pin to a specific build: Use a digest reference (@sha256:...). Digests are permanent and are never pruned from the Chainguard registry.

When to open a support ticket

Open a ticket if:

  • A version appears at images.chainguard.dev but is missing from your org
  • A version is not EOL upstream but does not appear in the Chainguard catalog
  • A tag that was previously available in your org has disappeared unexpectedly

Related articles

Comments

0 comments

Article is closed for comments.