Tooling

Container Registries

Where you store and serve OCI images — hosted and self-hosted.

Hosted (free or generous)

  • GitHub Container Registry (ghcr.io) — free for public, generous for private with GHA integration. The default for OSS and small / mid teams.
  • Docker Hub — original; rate limits on free are real (200 pulls / 6 hr unauth, 200 / 6 hr free auth).
  • GitLab Container Registry — bundled with GitLab.
  • Cloudflare Container Registry — newer; pairs with Workers / Pages.
  • Quay.io (Red Hat) — public + private; free for OSS.
  • AWS ECR — pricier but ergonomic on AWS; ECR Public for OSS.
  • GCP Artifact Registry — clean; replaces gcr.io.
  • Azure Container Registry — Azure-native.
  • DigitalOcean Container Registry — small, simple; usually used with DOKS.
  • Scaleway / Hetzner / Linode container registries — provider-bundled.
  • JFrog Artifactory — enterprise; stores way more than just containers.

Self-hostable

  • Harbor (CNCF) — full-featured registry: vuln scanning, signing, replication, RBAC. The default self-host pick.
  • Distribution / Docker Registry — the reference implementation; OSS, minimal.
  • Quay — open-source version of Quay.io; Red Hat.
  • Forgejo / Gitea Package Registry — bundled with the git server; great for small teams.
  • Kraken (Uber) — peer-to-peer registry for huge clusters.
  • Zot — newer OCI-native, signing-aware registry.

Pull-through caches

  • Harbor proxy projects — cache upstream public images so you don't re-pull from Docker Hub on every build.
  • registry:2 in proxy mode — minimal pull-through.
  • Cloudflare R2 + crane — DIY tier.
  • Sonatype Nexus — multi-format proxy (npm, Maven, OCI, etc.).
  • JFrog Artifactory — same.

Image signing / supply chain

See Image Supply Chain — Cosign, Sigstore, Notary v2, in-toto, SBOMs.

Patterns to adopt

  • Pin by digest in production (@sha256:...), not tag. Tags are mutable.
  • Replicate to a second registry (Harbor → ECR or vice versa) for failover.
  • Pull-through cache to avoid Docker Hub rate limits.
  • Set retention policies — Harbor / GHCR support it; old tags pile up fast.
  • Sign images with Cosign and verify on pull / admission.
  • Scan before promote — Trivy / Grype on every PR; block high-severity into prod.

Mirroring / cost

  • Egress cost matters at scale — every node pull is bandwidth. Locate registries near nodes.
  • Image size matters — see Image Building for distroless / chainguard.
  • Registry storage rarely goes down on its own — set garbage collection / retention or you'll keep paying.

Pick this if…

  • Default for OSS or small team: GitHub Container Registry.
  • Self-host with full features: Harbor.
  • Tiny self-host, embed in git: Forgejo / Gitea bundled registry.
  • Already on AWS / GCP / Azure: the cloud-native registry; pair with VPC endpoints.
  • You hit Docker Hub rate limits: add a Harbor proxy project or move base images.
  • Air-gapped: Harbor with replication policies.

On this page