Container Registry
A container registry is a storage and distribution system for container images, letting teams push built images, version and tag them, and pull them for deployment across development, CI/CD, and production environments.
Definition
A container registry is a storage and distribution system for container images, letting teams push built images, version and tag them, and pull them for deployment across development, CI/CD, and production environments.
Overview
Once an application is packaged into a container image (via a Dockerfile build, for example), that image needs somewhere to live so it can be retrieved and run elsewhere — a container registry serves exactly that role, analogous to how a package registry (npm, PyPI) distributes libraries, but for container images. Registries store images as layered, content-addressable artifacts, organized into repositories (typically one per application or service) and tagged versions (e.g. `myapp:1.2.0` or `myapp:latest`), and expose a standard API (following the OCI Distribution Specification) that container runtimes and orchestrators use to push and pull images. Registries fall into a few categories: Docker Hub, the original and still widely used public registry, offering both public and private repositories; cloud-provider-managed registries (Amazon ECR, Google Artifact Registry, Azure Container Registry) that integrate tightly with their respective cloud's IAM, networking, and CI/CD services; and self-hosted or third-party registries (Harbor, GitHub Container Registry, JFrog Artifactory, Quay) chosen for specific needs like on-premises hosting, advanced vulnerability scanning, or multi-format artifact support beyond just containers. Beyond simple storage, modern registries typically provide vulnerability/image scanning (flagging known CVEs in an image's layers before it's deployed), access control (limiting which users, CI pipelines, or clusters can push or pull specific repositories), image signing and provenance verification (ensuring an image hasn't been tampered with and genuinely came from a trusted build pipeline — increasingly important given supply-chain attack concerns), and retention/lifecycle policies to automatically clean up old or unused image versions. A container registry sits at the center of the CI/CD pipeline for containerized applications: a build stage produces and pushes an image to the registry, and every subsequent deployment stage (staging, production, or a Kubernetes rollout) pulls that exact, immutable image by its tag or digest, making the registry the authoritative, versioned source of truth for what actually gets deployed.
Key Features
- Stores, versions, and distributes container images via the OCI Distribution Specification API
- Organizes images into repositories with tags (e.g. `app:1.2.0`) for version tracking
- Public options (Docker Hub) and cloud-managed options (ECR, Artifact Registry, ACR)
- Self-hosted/enterprise options (Harbor, Artifactory, Quay) for on-prem or advanced feature needs
- Built-in or integrated vulnerability/image scanning for known CVEs before deployment
- Access control restricting which users or systems can push/pull specific repositories
- Image signing and provenance verification for software supply-chain security
- Retention and lifecycle policies to clean up old or unused image versions automatically