Skip to content

Structured tagging of images to differentiate pre-release versions #881

New issue
New issue
Open
Open
Structured tagging of images to differentiate pre-release versions#881
Labels
community_newNew idea raised by a community contributor
@lucas42

Description

@lucas42
lucas42
opened on Jan 16, 2026

Tell us about your request
Image tagging is currently unstructured, making it very hard to automatically determine whether a particular image is considered stable, or is a pre-release version.

I'd like to see a simple way to determine which images are stable, and which are pre-release (alpha, beta, rc etc).

Which service(s) is this request for?
My preference would be docker CLI, but it may be possible to do something in Docker Hub or another part of the docker ecosystem.

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
Many people are now using automated tooling to keep their software dependencies up-to-date. Examples of such tools include Github's Dependabot, Renovate and Snyk. One common pattern is to ask these tools to upgrade dependencies to the latest stable version, but not include any pre-release versions. This works well for most package managers as they either have a way to tag stable versions or follow a strict adherence to semantic versioning, meaning the tools can avoid pre-release versions if necessary.

However, for docker images, the unstructured nature of tagging means these tools need to add complex logic to guess whether a given tag counts as stable, and frequently get it wrong. This means sometimes pre-release images get used in production, or that stable images don't get upgraded to, possibly leaving security vulnerabilities in place.

Are you currently working around the issue?
There are a few ways to workaround this:

  1. Bespoke logic for each base image used, to handle its specific tagging conventions
  2. Add a human software engineer into the upgrade process
  3. Accept using pre-release images, and the stability risks found in them
  4. Don't upgrade docker images, and accept the security risks

Additional context
I think there are various ways this problem could be solved, each with pros and cons. Some examples:

  • Enforce tags on new images to conform to a defined structure after a certain date. (Likely to be unpopular with lots of image publishers)
  • Create a well-defined convention for structured image tags, which image publishers are encouraged to adopt, but with no technical enforcement
  • Add a new field to image metadata so that publishers can convey whether the image is stable, regardless of tags
  • Write some centralised logic which parses an image's tags and determines whether it is stable.

Metadata

Metadata

Assignees

No one assigned

    Labels

    community_newNew idea raised by a community contributor

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions