100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
DevOps

Container Registry

BeginnerTool11.7K learners

A container registry is a storage and distribution system for container images, letting teams push built images, version and tag them, and pull them for deployment across development, CI/CD, and production environments.

Definition

A container registry is a storage and distribution system for container images, letting teams push built images, version and tag them, and pull them for deployment across development, CI/CD, and production environments.

Overview

Once an application is packaged into a container image (via a Dockerfile build, for example), that image needs somewhere to live so it can be retrieved and run elsewhere — a container registry serves exactly that role, analogous to how a package registry (npm, PyPI) distributes libraries, but for container images. Registries store images as layered, content-addressable artifacts, organized into repositories (typically one per application or service) and tagged versions (e.g. `myapp:1.2.0` or `myapp:latest`), and expose a standard API (following the OCI Distribution Specification) that container runtimes and orchestrators use to push and pull images. Registries fall into a few categories: Docker Hub, the original and still widely used public registry, offering both public and private repositories; cloud-provider-managed registries (Amazon ECR, Google Artifact Registry, Azure Container Registry) that integrate tightly with their respective cloud's IAM, networking, and CI/CD services; and self-hosted or third-party registries (Harbor, GitHub Container Registry, JFrog Artifactory, Quay) chosen for specific needs like on-premises hosting, advanced vulnerability scanning, or multi-format artifact support beyond just containers. Beyond simple storage, modern registries typically provide vulnerability/image scanning (flagging known CVEs in an image's layers before it's deployed), access control (limiting which users, CI pipelines, or clusters can push or pull specific repositories), image signing and provenance verification (ensuring an image hasn't been tampered with and genuinely came from a trusted build pipeline — increasingly important given supply-chain attack concerns), and retention/lifecycle policies to automatically clean up old or unused image versions. A container registry sits at the center of the CI/CD pipeline for containerized applications: a build stage produces and pushes an image to the registry, and every subsequent deployment stage (staging, production, or a Kubernetes rollout) pulls that exact, immutable image by its tag or digest, making the registry the authoritative, versioned source of truth for what actually gets deployed.

Key Features

  • Stores, versions, and distributes container images via the OCI Distribution Specification API
  • Organizes images into repositories with tags (e.g. `app:1.2.0`) for version tracking
  • Public options (Docker Hub) and cloud-managed options (ECR, Artifact Registry, ACR)
  • Self-hosted/enterprise options (Harbor, Artifactory, Quay) for on-prem or advanced feature needs
  • Built-in or integrated vulnerability/image scanning for known CVEs before deployment
  • Access control restricting which users or systems can push/pull specific repositories
  • Image signing and provenance verification for software supply-chain security
  • Retention and lifecycle policies to clean up old or unused image versions automatically

Use Cases

Storing and versioning application container images built in a CI pipeline
Pulling exact, immutable image versions for Kubernetes or other orchestrator deployments
Scanning images for known vulnerabilities before allowing them into production
Restricting which teams or pipelines can push to sensitive production repositories
Signing images to verify build provenance and prevent supply-chain tampering
Mirroring or caching public images internally to reduce external dependency and rate limits

Alternatives

Docker HubAmazon Elastic Container Registry (ECR) · Amazon Web ServicesHarbor (self-hosted, open source)GitHub Container Registry · GitHub/Microsoft

Frequently Asked Questions