CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Container Registry

devops PHP 5.0+ Beginner
debt(d5/e3/b5/t5)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches' (d5). Misuse patterns like :latest tags, missing vulnerability scanning, or public registry exposure require specialized tools (Trivy, Grype, ECR/GHCR scanning features) to detect. These aren't caught by compilers or default linters but are flagged by container security scanners listed in detection_hints.tools.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3). The quick_fix indicates switching registries and adding proper tagging is a parameterized fix - update CI/CD config to push to ECR/GHCR with commit-sha tags, add Trivy scan step. Touches deployment configs and CI pipelines but remains a straightforward pattern replacement, not architectural rework.

b5 Burden Structural debt — long-term weight of choosing wrong

Closest to 'persistent productivity tax' (b5). Registry choice affects all container workflows: CI/CD pipelines, deployment scripts, developer local pulls, and image lifecycle management. Applies to web and cli contexts per applies_to. A poor registry choice (rate-limited Docker Hub) breaks parallel CI builds repeatedly, taxing multiple work streams, but doesn't define system architecture.

t5 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'notable trap' (t5). The misconception explicitly states developers assume Docker Hub is the only option, missing that cloud provider registries offer IAM integration, vulnerability scanning, and no rate limits. The :latest tag trap (non-deterministic, breaks rollbacks) is a documented gotcha most devs eventually learn, but causes real pain in production rollback scenarios first.

About DEBT scoring → scored by claude-opus-4-5-20251101 · 2026-05-06 · reviewed by human

Also Known As

Docker Hub ECR GHCR image registry

TL;DR

A storage and distribution system for Docker images — Docker Hub, Amazon ECR, GitHub Container Registry (GHCR), and Google Artifact Registry store versioned, immutable image tags.

Explanation

Container registries store Docker images as layers, identified by tags (myapp:1.2.3 or myapp:abc123). Public registries: Docker Hub (default, rate-limited pulls), GitHub Container Registry (ghcr.io, free with GitHub). Private registries: Amazon ECR, Google Artifact Registry, Azure Container Registry — provide IAM-based access control, vulnerability scanning, and geographic replication. Best practices: never use :latest in production, tag with immutable identifiers (git SHA), scan images for CVEs before pushing, and rotate registry credentials.

Common Misconception

Docker Hub is the only container registry — major cloud providers have private registries with IAM integration, vulnerability scanning, and no rate limits — essential for production CI/CD pipelines.

Why It Matters

Docker Hub's rate limits (100 pulls/6h unauthenticated) break CI pipelines for teams with many parallel builds — a private registry in the same AWS region eliminates both rate limits and transfer costs.

Common Mistakes

  • Using :latest tag — non-deterministic, makes rollbacks impossible.
  • Public registry for private application images — code and configuration visible to anyone.
  • No image vulnerability scanning — CVEs in base images go undetected.
  • No registry cleanup — old images accumulate storage costs; add lifecycle policies.

Code Examples

✗ Vulnerable 
# Non-deterministic latest tag:
docker build -t myapp:latest .
docker push myapp:latest
# CI deploys latest — but what version is latest?
# Rollback: push the previous latest back — which was?
# Impossible to reproduce builds from 6 months ago
✓ Fixed 
# Immutable SHA tag + semantic version:
GIT_SHA=$(git rev-parse --short HEAD)
docker build -t 123456789.dkr.ecr.eu-west-1.amazonaws.com/myapp:$GIT_SHA .
docker push 123456789.dkr.ecr.eu-west-1.amazonaws.com/myapp:$GIT_SHA

# Also tag with version:
docker tag myapp:$GIT_SHA myapp:v1.2.3

# ECR lifecycle policy: keep last 10 tagged images
# Scan on push: enabled
# IAM: only CI role can push
Added 16 Mar 2026
Edited 22 Mar 2026
Views 66

Curated in Warsaw under one editorial standard. 1,463 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings W 0 pings T 0 pings F 4 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 1 ping W 0 pings T 0 pings F 2 pings S 0 pings S 0 pings M 1 ping T 1 ping W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Google 21 Amazonbot 15 Perplexity 6 Ahrefs 3 ChatGPT 3 Unknown AI 2 SEMrush 1 Meta AI 1
Also referenced
Container Security 49 Kubernetes for PHP Developers 41 Containerisation (Docker for PHP) 37 Docker Multi-Stage Builds 34
How they use it
crawler 49 crawler_json 3
Related categories
devops 1.4k
DEV INTEL Tools & Severity
🟡 Medium ⚙ Fix effort: Low
⚡ Quick Fix
Use ECR or GHCR — push on every merge to main with both :latest and :commit-sha tags; scan images for vulnerabilities with Trivy before pushing to production registry
📦 Applies To
PHP 5.0+ web cli
🔗 Prerequisites
🔍 Detection Hints
Using :latest tag in production (not reproducible); no image scanning; public registry for private PHP images; no image lifecycle policy (unbounded storage)
Auto-detectable: ✓ Yes ecr ghcr docker-hub trivy grype
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Medium ✗ Manual fix Fix: Medium Context: File
CWE-829
✓ schema.org compliant