Image-Warden does not perform automatic rollback.
Rollback policy is operationally risky: a previous candidate may have been
blocked by a scanner, force-released, cleaned up, or superseded by another
candidate. Instead, use iw-history to inspect what happened and then promote a
specific tag manually after review.
Show the release history for one image:
iw-history --image nginx --event releasedShow scanner blocks and forced releases around the same image:
iw-history --image nginx --event scan_blocked
iw-history --image nginx --event scanner_gate_ignored
iw-history --image nginx --event force_release_requestedShow skipped candidates:
iw-history --image nginx --event candidate_removedCandidate removals include a reason field in JSON output. For example,
already_released means Image-Warden found that the configured production tag
already points at the candidate digest and removed the candidate from the queue.
missing_from_registry means the staged tag no longer existed in the local
registry when release checked it.
Filter for one removal reason:
iw-history --image nginx --event candidate_removed --json \
| jq 'select(.reason == "already_released")'Filter by command source or broad category:
iw-history --source iw-release
iw-history --category scan
iw-history --image nginx --source iw-release --category releaseRaw JSON output is useful for scripts or deeper inspection:
iw-history --image nginx --jsonHuman-readable iw-history output uses local time by default. Use --utc if
you want the text timeline to match the UTC timestamps stored in events.log.
iw-history reads one JSONL event log file into memory. If your installation
rotates events.log, inspect an older uncompressed log explicitly:
iw-history --event-log ~/.local/state/image-warden/events.log.1 --image nginxCompressed rotated logs are not read automatically. Decompress them first or copy the relevant JSONL lines into a temporary file.
After selecting a previous tag from history, copy it over the configured production tag.
For the default local registry over HTTP:
skopeo copy \
--src-tls-verify=false \
--dest-tls-verify=false \
docker://127.0.0.1:5000/nginx:latest_20260517-1935_501b8add \
docker://127.0.0.1:5000/nginx:productionIf the image uses a custom production tag, replace production with that tag:
skopeo copy \
--src-tls-verify=false \
--dest-tls-verify=false \
docker://127.0.0.1:5000/nginx:stable_20260517-1935_501b8add \
docker://127.0.0.1:5000/nginx:stableFor TLS-enabled registries, use --src-tls-verify=true and
--dest-tls-verify=true.
Image-Warden only changes tags in the registry. Your runtime still has to pull and restart the workload.
Docker Compose:
docker compose pull nginx
docker compose up -d nginxPodman Compose:
podman compose pull nginx
podman compose up -d nginxSingle Docker container:
docker pull 127.0.0.1:5000/nginx:production
docker stop nginx
docker rm nginx
# Recreate with your normal docker run command.Single Podman container:
podman pull 127.0.0.1:5000/nginx:production
podman restart nginxiw-cleanupmay have already deleted older staging tags depending onKEEP_IMAGES.- A previous tag may have been force-released with
--ignore-scanner. - A previous tag may have been blocked by Trivy or Grype.
- If
production_tagis configured per image, rollback must copy to that tag, not necessarilyproduction. - If the image is multi-arch, make sure the tag you promote is the platform you actually run.