Show a practical strategy: "Every image gets a git SHA tag for traceability and a semver tag for releases. CI scans before push. A cron job deletes images older than 90 days except tagged releases. Production always pulls a specific SHA, never latest."
Tagging strategies: semantic version tags (v1.2.3) for releases, git SHA tags for traceability, environment tags (staging, production) as mutable pointers, and never use latest in production (it is ambiguous and mutable). Image cleanup: set retention policies to delete old images (by age or count), use registry garbage collection, and remove untagged manifests. Security scanning: integrate Trivy, Snyk, or Docker Scout into CI to scan before pushing, and periodically scan existing images for newly discovered CVEs. Strong candidates discuss: multi-architecture manifests, registry mirroring for availability, pull-through caches for rate limit avoidance, and image signing with cosign or Docker Content Trust for supply chain security.
Tests production maturity. Candidates who push all images as latest and never clean up will have registries full of untracked, potentially vulnerable images. Those with a clear tagging, scanning, and retention strategy manage images professionally.