Skip to main content

Container Registry

A container registry is a service that stores, versions, and distributes container images for pushing by builds and pulling by deployments.

A container registry is a server that stores and distributes container images. Build pipelines push images to a registry, and runtimes or orchestrators pull them when launching containers. Examples include Docker Hub, GitHub Container Registry, Amazon ECR, Google Artifact Registry, and Azure Container Registry, as well as self-hosted options like Harbor.

How It Works

Registries implement the OCI Distribution Specification, an HTTP API for uploading and downloading image layers and manifests by name, tag, and digest. When a client pulls an image, the registry returns a manifest listing the required layers; the client downloads only layers it does not already have cached. A registry may host many repositories, each holding multiple tagged versions of an image.

Registries are typically authenticated and can be public or private. Many add features such as vulnerability scanning, image signing and verification, replication across regions, retention policies, and access controls.

Why It Matters

The registry is the distribution backbone of a container platform. It is the single source of truth for what gets deployed, so its availability and integrity directly affect releases. Pulling from a slow or unreachable registry can stall deployments and autoscaling.

Security matters here too: a compromised registry or a pulled-but-untrusted image can introduce malware into production. Teams mitigate this with private registries, signed images, admission policies that reject unsigned images, and scanning on push.

Related Terms

A registry stores container images defined by the OCI image spec, which a container runtime pulls to create a container.