Every container image your team builds needs somewhere to live before it reaches a server. That place is a container registry.
It stores, versions, and distributes the packaged software that powers everything from single Docker containers to massive Kubernetes clusters running hundreds of microservices.
With the CNCF reporting that 80% of organizations now run Kubernetes in production, understanding how registries work isn’t optional anymore. It’s foundational.
This guide covers what a container registry actually does, how image layers and tagging work, the differences between public and private registries like Docker Hub, Harbor, and Amazon ECR, and how registries connect to your CI/CD pipeline. Plus security practices like vulnerability scanning and image signing that keep your software supply chain clean.
What Is a Container Registry
A container registry is a storage and distribution system for container images.
It works like a centralized hub where development teams push, store, version, and pull the packaged software they need to run applications across different environments.
Every container image you build (whether through Docker, Podman, or another tool) needs somewhere to live before it reaches a server. That’s the registry. It holds your images, tracks their versions through tags and digests, and controls who can access what.
But calling it “just storage” undersells what it does.
Registries handle image layer deduplication, metadata management, access control, and (in most cases) vulnerability scanning. They sit between your build pipeline and your production environment, acting as the single source of truth for every build artifact your team ships.
The container registry market hit $1.25 billion in 2024 and is growing at roughly 17% annually, according to Credence Research. That growth tracks directly with the rise of Kubernetes, microservices architecture, and cloud native development across every industry.
Public registries like Docker Hub serve as the default for open source projects and individual developers. Private registries (Harbor, JFrog Artifactory, GitLab Container Registry) give organizations tighter control over image distribution and security. Cloud providers run their own managed options too: Amazon ECR, Google Artifact Registry, and Azure Container Registry.
The CNCF 2024 Annual Survey found that 80% of organizations now run Kubernetes in production, up from 66% in 2023. Every one of those clusters pulls container images from a registry. Without a registry, there’s no practical way to distribute containerized applications at scale.
How a Container Registry Works
The basic operation is straightforward. You build an image locally, push it to a registry, and pull it from wherever you need to deploy.
Under the surface, there’s more happening than a simple file upload.
Image Layers and Storage
Container images aren’t single files. They’re stacks of layers, each representing a set of filesystem changes defined in a Dockerfile or similar build configuration.
When you push an image, the registry breaks it into individual layers and stores each one by its content hash (called a digest). If two images share the same base layer, the registry stores that layer only once.
Layer deduplication is what makes registries efficient. A team running 50 microservices based on the same Python base image doesn’t store 50 copies of that base. The registry keeps one copy and references it across all 50 image manifests.
The image manifest ties everything together. It’s a JSON document listing every layer digest, the image configuration, and metadata about the platform architecture (linux/amd64, linux/arm64, etc.).
Multi-architecture images use a manifest list (sometimes called an image index) that points to separate manifests for each platform.
Tags, Digests, and Versioning
Tags are human-readable labels pointing to a specific image manifest. When you run docker push myapp:v2.1.0, the tag v2.1.0 is a pointer.
Tags are mutable. Someone can push a new image with the same tag and overwrite what was there before. The latest tag is the biggest offender here. Took me a while to learn why pinning to latest in production is a bad idea. Your Tuesday deployment could pull a completely different image than your Monday deployment.
Digests solve this. A digest like sha256:a3f2... is an immutable reference to an exact image manifest. It never changes. Production environments that care about reproducibility pin to digests, not tags.
| Reference Type | Example | Mutable | Best For |
|---|---|---|---|
| Tag | myapp:v2.1.0 | Yes | Development, human readability |
| Latest tag | myapp:latest | Yes | Quick local testing only |
| Digest | myapp@sha256:a3f2... | No | Production, CI/CD pipelines |
Semantic versioning tags (like v2.1.0) give teams a predictable way to track releases, but the digest underneath is what guarantees you’re running the exact image you tested.
Container Registry vs. Container Repository
People mix these up constantly.
A repository holds all versions of a single container image. Think of it as a named collection. mycompany/api-service is a repository, and it contains every tagged version of that particular service.
A registry holds multiple repositories. Docker Hub is a registry. Inside Docker Hub, you’ll find thousands of repositories, each containing versions of a different image.
The hierarchy looks like this:
Registry (e.g., registry.example.com) → Repository (e.g., registry.example.com/team/api-service) → Tag or Digest (e.g., registry.example.com/team/api-service:v3.0.1)
You can see this structure in CLI commands. When you run docker pull nginx:1.25, Docker resolves that to registry-1.docker.io/library/nginx:1.25. The registry is Docker Hub. The repository is library/nginx. The tag is 1.25.
In your source control management workflow, this maps to a familiar concept. A registry is like your Git hosting platform (GitHub, GitLab). A repository is a single repo within that platform. Tags are, well, tags.
One registry can host hundreds or thousands of repositories. Large organizations often organize them by team, project, or environment (dev, staging, prod).
Types of Container Registries
Not all registries serve the same purpose. The right choice depends on your team size, security requirements, and where your infrastructure lives.
Public Registries
Docker Hub is the default. If you run docker pull postgres without specifying a registry, it pulls from Docker Hub. The platform reported over 20 million registered developers in 2024 and has accumulated over 318 billion all-time image pulls.
| Public Registry | Maintained By | Strengths |
|---|---|---|
| Docker Hub | Docker Inc. | Largest image library, Official Images program |
| GitHub Container Registry (ghcr.io) | GitHub/Microsoft | Tight GitHub Actions integration |
| Quay.io | Red Hat | Strong security scanning, open source focus |
Public registries work well for open source distribution and individual projects. But they come with constraints. Docker Hub enforces pull rate limits for unauthenticated users (and even free accounts). Your mileage will vary depending on how aggressively your CI runs.
Private and Self-Hosted Registries
Harbor (a CNCF graduated project) is the go-to for organizations wanting full control. It runs on your own infrastructure, supports role-based access control, image scanning with Trivy or Clair, and replication across multiple registries.
GitLab Container Registry ships built into GitLab. If your continuous integration and continuous deployment pipelines already run on GitLab, the registry integration is practically free.
JFrog Artifactory goes beyond containers. It’s a universal artifact repository that can handle Docker images, npm packages, Maven artifacts, Helm charts, and more. Teams with complex software development processes across multiple languages and frameworks often land here.
A BellSoft survey in early 2026 found that only 45% of container users work exclusively with trusted image registries. Self-hosting gives you the ability to enforce that policy across your entire organization.
Cloud Provider Registries
Amazon ECR integrates tightly with ECS, EKS, and AWS IAM. If your infrastructure runs on AWS, ECR removes the friction of managing registry credentials across services.
Google Artifact Registry replaced the older Google Container Registry and now supports Docker images, Helm charts, and language packages. It plugs directly into Google Kubernetes Engine (GKE) and Cloud Build.
Azure Container Registry connects to Azure Kubernetes Service (AKS) and supports geo-replication for teams deploying across regions. It also integrates with Microsoft Defender for automated vulnerability scanning.
Cloud registries dominate the market. Credence Research reported that cloud deployment held about 67% share of container registry usage in 2024, driven by app scaling needs and reduced operational overhead.
Why Teams Use Private Container Registries
Public registries are fine for pulling community images. But any team shipping production software eventually needs a private registry.
Access control is the obvious reason. You don’t want your proprietary application images sitting on a public Docker Hub repository. Private registries let you define who can push, who can pull, and from which repositories.
Then there’s the network factor. Running a registry inside your own cloud VPC or data center means image pulls during deployment are fast and don’t depend on external service availability. When Docker Hub had outages in the past, teams without a local mirror felt it across their entire deployment pipeline.
Compliance drives adoption too. Industries like healthcare and finance have data residency requirements. Container images can contain application code, configuration files, and embedded secrets (even when they shouldn’t). Keeping those images within a controlled environment satisfies auditors.
Docker Hub introduced pull rate limits in 2020, and they’ve tightened since. As of 2025, unauthenticated users and free personal accounts face a 6-hour pull rate limit. Automated DevOps pipelines hammering Docker Hub multiple times per day can hit those limits fast.
Private registries also integrate directly into your CI/CD workflows. Your build server pushes an image, your scanning tool checks it, your policy engine approves it, and your orchestrator pulls it. All within a controlled loop. At least in my experience, that single-loop approach cuts down on the “it worked on my machine” problems that plague teams with loose image management.
Credence Research noted that large enterprises held nearly 61% of the container registry market share in 2024, largely because of these compliance, security, and scale requirements.
Container Registry Security
Security isn’t a feature you bolt on after setup. It’s baked into how you run a registry and how images move through your pipeline.
The BellSoft 2026 survey found that only 43% of container users use vulnerability scanning tools. That’s a gap. Especially when research shows the average Docker Hub container carries roughly 604 known vulnerabilities, according to a 2024 NetRise study.
Vulnerability Scanning
Image scanning tools inspect every layer of a container image, checking installed packages and libraries against known vulnerability databases (CVE feeds, NVD, vendor advisories).
Trivy is the most widely adopted open source scanner. It’s fast, runs as a single CLI binary, and integrates into CI pipelines with minimal setup. Harbor uses it as a built-in scanner.
Clair (maintained primarily by Red Hat engineers) runs as a background service and is the default scanner in Quay.io. It performs static analysis on image layers.
Snyk Container takes a commercial approach, connecting vulnerability data to fix recommendations and developer workflows.
Scanning matters because images age. An image that passed all checks last month might have new critical CVEs today. Running automated scans on a schedule (not just at build time) catches these issues before they reach production.
A Chainguard report from late 2025 found that 98% of remediated CVE instances occurred in images outside the top 20 most popular ones. The long tail of your image portfolio is where the risk hides.
Image Signing and Content Trust
Scanning tells you what’s in an image. Signing tells you who put it there.
Cosign (part of the Sigstore project, backed by the Linux Foundation) is the current standard for container image signing. It generates cryptographic signatures tied to an image digest, so consumers can verify that the image hasn’t been tampered with since it was published.
Notary (based on The Update Framework, or TUF) was Docker’s original approach to content trust. It’s still used, but Cosign has gained more traction in recent years because it’s simpler to integrate into existing configuration management and code review processes.
Token-based authentication controls who can push and pull images. Registries like Harbor and ECR support role-based access control, where different teams get different permission levels per repository. Combined with image signing, this creates a chain of trust from build to deployment.
Software supply chain attacks increased 742% between 2019 and 2024, according to SFEIR Institute research. Image signing and verification aren’t optional anymore. They’re table stakes for any team running containerization in production.
How Container Registries Fit Into CI/CD Pipelines
The registry sits at the center of every containerized software development workflow. Code goes in one end, tested images come out the other, and the registry is the handoff point between building and deploying.
The CD Foundation’s 2024 State of CI/CD Report found that 83% of developers participate in DevOps-related activities, up from 77% in 2022. Nearly all of those workflows involve pushing and pulling container images through a registry.
Here’s how images typically flow through a pipeline:
| Pipeline Stage | Registry Action | Tools Involved |
|---|---|---|
| Build | Push tagged image | Docker, Buildah, GitHub Actions |
| Scan | Check image layers for CVEs | Trivy, Snyk, Clair |
| Promote | Retag or copy to production repo | Skopeo, Crane, registry API |
| Deploy | Pull verified image | Kubernetes, ECS, Cloud Run |
Build stage: Your CI system compiles the application, packages it into a container image, and pushes it to the registry. Most teams tag with the Git commit SHA or a semantic version number so every build is traceable back to source.
Scan and verify: Before an image moves to production, automated scanning tools check it against vulnerability databases. Policy engines (like OPA Gatekeeper or Kyverno) can block images that don’t meet security standards from being deployed.
Deploy stage: The orchestrator (Kubernetes, Amazon ECS, or similar) pulls the approved image from the registry. In a blue-green deployment or canary deployment setup, the registry serves both the current and incoming versions simultaneously.
GitLab’s built-in container registry is a good example of tight integration. The registry ships as part of the platform, so your .gitlab-ci.yml can build, scan, push, and deploy without ever leaving the GitLab ecosystem. No separate credentials, no extra infrastructure.
Global Growth Insights data shows that over 68% of enterprises now use cloud-based registry systems specifically because they plug directly into automated pipelines.
Image promotion is where most teams get tripped up. The pattern that works: build once, push to a dev repository, scan it, then promote the exact same digest (not a rebuild) to a staging or production repository. Rebuilding introduces drift. Promoting by digest guarantees the image you tested is the image you deploy.
Webhooks connect the registry to downstream systems. When a new image lands in a specific repository, the registry can notify your deployment tooling to trigger a rollback in deployment or a new release automatically.
How to Choose a Container Registry
The right registry depends on where your team already lives. If you’re fully on AWS, ECR is the obvious pick. If you’re running multi-cloud, Harbor or JFrog Artifactory give you more flexibility.
But there are other factors that matter.
Team size and access control complexity: A five-person startup doesn’t need the same permission model as a 500-person engineering org. Small teams do fine with Docker Hub’s team-level access. Larger organizations need per-repository role-based access control, audit logging, and integration testing gating before image promotion.
OCI compliance and artifact support: Look, the Open Container Initiative spec matters more than people think. Registries that support OCI artifacts can store Helm charts, WebAssembly modules, and SBOMs alongside your container images. Not every registry does this well yet.
Cost structure: Cloud registries charge differently. Some bill by storage volume, some by data transfer, some per seat.
| Registry | Pricing Model | Free Tier |
|---|---|---|
| Docker Hub | Per-seat subscription | 1 private repo, rate-limited pulls |
| Amazon ECR | Storage + data transfer | 500 MB/month (12 months) |
| Harbor | Self-hosted (free OSS) | Unlimited (you pay for infra) |
| GitHub Container Registry | Storage + data transfer | 500 MB storage for free accounts |
Vendor lock-in: This is the tricky part. Cloud-native registries integrate deeply with their platform’s IAM, networking, and orchestration. That integration is convenient until you need to move workloads to another cloud.
Over 68% of enterprises are adopting cloud-based registries, according to Global Growth Insights. But multi-cloud strategies are growing too, and that makes software portability a real consideration.
Spotify is a practical example. The company runs a hybrid infrastructure and uses a combination of Google Cloud services with custom tooling to manage container image distribution across multiple environments.
OCI Distribution Specification and Registry Standards
The OCI Distribution Specification defines how container registries work at the protocol level. Push an image, pull an image, list tags, check if a blob exists. All standardized.
Before OCI, Docker’s proprietary V2 registry API was the standard by default. Every registry had to be compatible with Docker’s format or risk being left out. The OCI took that API, formalized it, and made it vendor-neutral.
The OCI released Distribution Spec 1.1 in 2024. That update added the Referrers API, which lets you link related artifacts (like signatures, SBOMs, and scan reports) to a specific container image inside the registry.
This is a bigger deal than it sounds.
Before the Referrers API, tools like Cosign and Notary had to use workarounds (specially crafted tags) to store image signatures alongside the images they signed. With 1.1, there’s now an official way to discover all artifacts related to a given image digest.
Registries as generic artifact stores is the direction everything is heading. Helm charts, Tekton bundles, OPA policies, Wasm modules, Falco rules. All of these can now be pushed to an OCI-compliant registry using the same protocols you use for container images.
Bitnami moved all of its Helm charts to OCI-only distribution in November 2024, served through Docker Hub. The Homebrew package manager distributes tools through GitHub Container Registry at a rate of over 500 terabytes monthly, according to Bret Fisher’s documentation on OCI artifacts.
| Artifact Type | OCI Support Status | Tools |
|---|---|---|
| Container images | Full, native | Docker, Podman, Buildah |
| Helm charts | GA since Helm 3.8 | Helm CLI |
| Signatures | Via Referrers API | Cosign, Notation |
| SBOMs | Via Referrers API | Syft, ORAS |
| Wasm modules | Supported | ORAS CLI |
The practical benefit for teams running infrastructure as code alongside containerized apps is clear. One registry, one set of access controls, one set of API integration endpoints. No separate Helm repository server, no separate signature store, no separate SBOM database.
Azure Container Registry, Amazon ECR, Google Artifact Registry, Harbor, and Quay.io all support OCI artifacts now. If your current registry doesn’t, it might be time to reevaluate.
Common Container Registry Operations
Day-to-day registry work comes down to a handful of operations. Pushing, pulling, tagging, cleaning up. None of it is complicated, but getting the habits right early saves headaches at scale.
Pushing and pulling images is where everyone starts. The Docker CLI handles it with docker push and docker pull. But there are lighter alternatives.
Skopeo copies images between registries without needing a local Docker daemon running. Useful for CI environments or air-gapped setups where running a full Docker installation isn’t practical.
Crane (from Google) is a Go-based tool for interacting with remote registries. Fast, statically linked, no daemon required.
Both tools work with any OCI-compliant registry.
Tagging strategies vary by team, but a few patterns keep showing up:
- Git commit SHA as tag (e.g.,
myapp:a1b2c3d) for traceability - Semantic version tags (
myapp:2.4.1) for releases - Environment-based tags (
myapp:staging,myapp:prod) for promotion tracking - Never rely on
latestfor anything beyond local testing
Garbage collection and retention policies are where most teams fall behind. Registries accumulate images fast. Every CI build that pushes a new image creates orphaned layers and untagged manifests over time.
Harbor runs garbage collection as a scheduled job. GitLab requires a two-step process: first run a cleanup policy to untag old images, then trigger garbage collection to reclaim the actual storage. Azure Container Registry offers configurable retention policies that auto-delete untagged manifests after a set number of days.
Without cleanup, registries balloon. I’ve seen teams burning through hundreds of gigabytes of storage on images nobody has pulled in months.
Mirroring and replication matter for teams deploying across regions. Harbor supports rule-based replication between registries (push or pull mode). Amazon ECR offers cross-region replication natively. Google Artifact Registry supports multi-region repositories where images are stored closer to your clusters.
The CNCF 2024 survey found that 65% of organizations run Kubernetes in multiple environments for portability. Every one of those setups benefits from registry replication to keep image pulls fast and reliable, regardless of where the cluster is running.
Post-deployment maintenance depends heavily on registry hygiene. Old images with known vulnerabilities sitting in your registry are a liability, even if they’re not actively deployed. Automated retention policies and continuous scanning are the baseline.
FAQ on What Is A Container Registry
What is the difference between a container registry and a repository?
A container registry holds multiple repositories. A repository holds all versions of a single image. Docker Hub is a registry. Inside it, library/nginx is a repository containing every tagged version of that specific image.
Is Docker Hub a container registry?
Yes. Docker Hub is the largest public container registry, with over 20 million registered developers. It stores and distributes container images. Other registries include Amazon ECR, Google Artifact Registry, Harbor, and GitHub Container Registry.
What is the difference between a public and private container registry?
Public registries let anyone pull images. Private registries restrict access through authentication and role-based access control. Teams handling proprietary code or operating under compliance requirements (healthcare, finance) typically need a private registry.
Do I need a container registry for Kubernetes?
Yes. Kubernetes pulls container images from a registry to run workloads on your cluster. Without a registry, there’s no standard way to distribute images to nodes. Every Kubernetes deployment references an image stored in a registry.
What is an OCI-compliant container registry?
It’s a registry that follows the Open Container Initiative Distribution Specification. This standard defines how images are pushed, pulled, and stored. OCI compliance means your images are portable across any conforming registry without vendor lock-in.
How does image vulnerability scanning work in a container registry?
Scanning tools like Trivy, Clair, or Snyk inspect every layer of a container image. They check installed packages against CVE databases to find known security flaws. Most registries can run scans automatically on push.
Can a container registry store Helm charts?
Yes. Since the OCI Distribution Spec 1.1 update in 2024, registries can store Helm charts, Wasm modules, SBOMs, and other artifacts alongside container images. Helm 3.8+ supports pushing and pulling charts using OCI protocols.
What happens when a container registry goes down?
Deployments that need to pull images will fail. Running containers aren’t affected since they already have their image layers. Teams mitigate this risk by using registry mirroring, replication across regions, or caching images locally.
How do container registries handle image versioning?
Registries use tags and digests. Tags are human-readable labels (like v2.1.0) that can be overwritten. Digests are immutable SHA256 hashes pointing to an exact image manifest. Production environments should pin to digests for reproducibility.
What is garbage collection in a container registry?
Garbage collection removes unreferenced image layers and untagged manifests to reclaim storage. Without it, registries accumulate old data from every CI build. Harbor, GitLab, and Azure Container Registry all support automated cleanup policies.
Conclusion
Understanding what is a container registry comes down to one thing: it’s the infrastructure that makes container image distribution reliable, secure, and repeatable across your entire app lifecycle.
Whether you’re running Docker Hub for open source projects, Harbor for self-hosted control, or Amazon ECR tied into your AWS ecosystem, the registry is where your software supply chain either holds together or falls apart.
Image scanning with tools like Trivy catches vulnerabilities before they ship. Signing with Cosign proves who built what. OCI-compliant artifact storage keeps your Helm charts, SBOMs, and container images under one roof.
Get your tagging strategy right. Set up retention policies early. And treat your registry with the same care you give your codebase, because at scale, it carries just as much weight.
Many of his resources are available on various design marketplaces and for free on Codepen.
Over the years, he's worked with a range of clients and contributed to design publications like Design Your Way, Designmodo, WebDesignerDepot, WPDean, Speckyboy, and Slider Revolution among others.
- How to Clear All App Data on Android at Once - May 14, 2026
- How to Prep Your Codebase for M&A Due Diligence - May 13, 2026
- TypeScript Cheat Sheet - May 12, 2026
