Container Registries Cheat Sheet

Updated 2026-03-17

Next Topic: Container Resource Management Cheat Sheet

Container registries are centralized repositories for storing, managing, and distributing container images, serving as the critical bridge between image builds and deployments. These registries implement the OCI Distribution Specification, ensuring interoperability across tools and platforms while providing features like access control, vulnerability scanning, image signing, and geo-replication. Whether using public registries like Docker Hub or private registries like ECR and Harbor, understanding authentication methods, tagging strategies, and lifecycle management is essential for secure and efficient container operations. A key insight: always reference images by digest rather than tags in production to guarantee immutable deployments, and leverage pull-through caches to avoid rate limits and reduce latency.

What This Cheat Sheet Covers

This topic spans 12 focused tables and 85 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.

Table 1: Popular Registry ProvidersTable 2: Authentication MethodsTable 3: Image Tagging StrategiesTable 4: Image Signing & VerificationTable 5: Vulnerability Scanning ToolsTable 6: Pull Secrets & Access ControlTable 7: Registry Mirrors & CachingTable 8: Image Retention & CleanupTable 9: Replication & Geo-DistributionTable 10: Registry APIs & IntegrationTable 11: Monitoring & ObservabilityTable 12: Advanced Security Features

Table 1: Popular Registry Providers

Provider	Example	Description
Docker Hub	`docker pull nginx:latest` `docker push myuser/myapp:1.0`	• Most widely used public registry • supports public and private repositories with free and paid tiers • rate-limited pulls for anonymous users (100/6h) and authenticated free users (200/6h).
GitHub Container Registry (ghcr.io)	`docker pull ghcr.io/owner/image:tag` `docker login ghcr.io -u user -p $GITHUB_TOKEN`	• Integrated with GitHub • uses personal access tokens or GITHUB_TOKEN for auth • supports public images without authentication and private images with fine-grained permissions.
Amazon ECR	`aws ecr get-login-password \| docker login` `docker push 123456.dkr.ecr.us-east-1.amazonaws.com/repo:tag`	• AWS-managed registry with IAM-based access control • tokens expire after 12 hours • supports private and public registries • includes vulnerability scanning via Amazon Inspector.
Azure Container Registry (ACR)	`az acr login --name myregistry` `docker push myregistry.azurecr.io/image:tag`	• Enterprise-grade registry with geo-replication, private endpoints, and RBAC • supports service principals, managed identities, and admin credentials • integrates with AKS seamlessly.
Google Artifact Registry	`gcloud auth configure-docker us-docker.pkg.dev` `docker push us-docker.pkg.dev/project/repo/image:tag`	• Successor to GCR • supports Docker, Helm, Maven, npm, Python, and more • provides fine-grained IAM, vulnerability scanning via Binary Authorization, and multi-region replication.

Table 1: Popular Registry Providers

Provider	Example	Description
Docker Hub	`docker pull nginx:latest` `docker push myuser/myapp:1.0`	• Most widely used public registry • supports public and private repositories with free and paid tiers • rate-limited pulls for anonymous users (100/6h) and authenticated free users (200/6h).
GitHub Container Registry (ghcr.io)	`docker pull ghcr.io/owner/image:tag` `docker login ghcr.io -u user -p $GITHUB_TOKEN`	• Integrated with GitHub • uses personal access tokens or GITHUB_TOKEN for auth • supports public images without authentication and private images with fine-grained permissions.
Amazon ECR	`aws ecr get-login-password \| docker login` `docker push 123456.dkr.ecr.us-east-1.amazonaws.com/repo:tag`	• AWS-managed registry with IAM-based access control • tokens expire after 12 hours • supports private and public registries • includes vulnerability scanning via Amazon Inspector.
Azure Container Registry (ACR)	`az acr login --name myregistry` `docker push myregistry.azurecr.io/image:tag`	• Enterprise-grade registry with geo-replication, private endpoints, and RBAC • supports service principals, managed identities, and admin credentials • integrates with AKS seamlessly.
Google Artifact Registry	`gcloud auth configure-docker us-docker.pkg.dev` `docker push us-docker.pkg.dev/project/repo/image:tag`	• Successor to GCR • supports Docker, Helm, Maven, npm, Python, and more • provides fine-grained IAM, vulnerability scanning via Binary Authorization, and multi-region replication.