KiloClawPowered by OpenClaw
Back to Cookbook

Container Registry Image Cleanup Tool

aka “Registry Sweeper

Reclaim the 40 TB of unused container images nobody noticed

Scans your container registry, cross-references running workloads to find images that are actually in use, and generates safe cleanup policies for everything else. Recovers storage costs without breaking rollbacks.

House RecipeWork3 min
Try in KiloClawFree 7-day trial

INGREDIENTS

🐙GitHub💬Slack

PROMPT

Create a skill called "Registry Sweeper". Clean up container registries safely: 1. Inventory the registry: - List all repositories and image counts (`aws ecr describe-repositories`, `aws ecr list-images`) - Calculate total size and per-repository size - Identify growth rate (images pushed per week) 2. Cross-reference with workloads: - `kubectl get pods -A -o jsonpath` to get all running image references - Check ECS tasks, Lambda functions, or other container runtimes - If manifests are available, also check deployment specs, cron jobs, and scale-to-zero workloads 3. Generate a cleanup plan: - Images not referenced by active workloads or declared deployments = candidate for deletion - Keep the N most recent tags per repo (configurable, default 10) for rollback - Keep any tag matching a release pattern (v*, release-*, etc.) - Calculate storage savings from cleanup 4. Generate lifecycle policies: - ECR Lifecycle Policy JSON for automated future cleanup - GCR/GHCR equivalent if applicable Always show the full list before deleting anything. Include a dry-run mode.

How It Works

Container registries grow silently until the bill is shocking. Every CI

run pushes a new image, and nothing ever deletes the old ones. This skill

finds what's actually running and what can be cleaned up.

What You Get

  • Registry inventory: total images, total size, growth rate
  • In-use identification: cross-reference with running K8s pods, ECS tasks, and deployment specs when available
  • Safe-to-delete list: images not referenced by active workloads or declared deployments, with age
  • Rollback preservation: keeps N most recent tags per repository
  • Lifecycle policy generation for automated future cleanup
  • Estimated cost savings from cleanup

Setup Steps

  1. Ensure your Claw has access to your container registry CLI (aws ecr, docker, etc.)
  2. Ensure kubectl access to identify running images
  3. Run the scan to get the inventory and cleanup plan
  4. Review the safe-to-delete list and apply

Tips

  • Always keep recent tags for rollback capability (default: last 10 per repo)
  • Check ALL clusters before deleting — an image might be unused in prod but running in staging
  • Generate ECR Lifecycle Policies to automate cleanup going forward
  • Watch for images referenced in deployment YAML that aren't currently running (scale-to-zero, cron jobs)
  • Start with the biggest repos — that's where the savings are
Tags:#containers#cost-optimization#cleanup#devops

Related Recipes

CVE Bouncer

Separate the 5 exploitable CVEs from the 500 that don't matter

Runs container and dependency scans, then triages the results by actual risk — not just CVSS score. Cross-references EPSS (exploit probability), KEV catalog (known exploited), and reachability analysis to surface what actually needs fixing today.

Work2 min

Right Sizer

Stop guessing CPU and memory limits — let actual usage data decide

Analyzes your pod resource usage over time and recommends properly sized requests and limits. Finds the pods running at 2% CPU with 4 cores requested, and the ones getting OOMKilled because limits are too low.

Work2 min

Generated Media Budget Manager

Keep Final Cut libraries from ballooning via render, proxy, and optimized files

Final Cut libraries can balloon to hundreds of gigabytes due to generated media — render files, proxy media, optimized media, and analysis files. This recipe monitors library sizes, tracks growth, and provides safe cleanup steps so you never run out of space mid-project.

Creative7 min setup

CLAWBITE AI

Local-first AI assistant that automates small daily tasks safely on your device

A personal, local-first AI assistant that automates small daily tasks—organizing files, setting reminders, and monitoring system events—without touching sensitive data or taking risky actions without your approval.

Personal5 min