{ "slug": "container_registry", "term": "Container Registry", "category": "devops", "difficulty": "beginner", "short": "A storage and distribution system for Docker images — Docker Hub, Amazon ECR, GitHub Container Registry (GHCR), and Google Artifact Registry store versioned, immutable image tags.", "long": "Container registries store Docker images as layers, identified by tags (myapp:1.2.3 or myapp:abc123). Public registries: Docker Hub (default, rate-limited pulls), GitHub Container Registry (ghcr.io, free with GitHub). Private registries: Amazon ECR, Google Artifact Registry, Azure Container Registry — provide IAM-based access control, vulnerability scanning, and geographic replication. Best practices: never use :latest in production, tag with immutable identifiers (git SHA), scan images for CVEs before pushing, and rotate registry credentials.", "aliases": [ "Docker Hub", "ECR", "GHCR", "image registry" ], "tags": [ "devops", "containers", "docker" ], "misconception": "Docker Hub is the only container registry — major cloud providers have private registries with IAM integration, vulnerability scanning, and no rate limits — essential for production CI/CD pipelines.", "why_it_matters": "Docker Hub's rate limits (100 pulls/6h unauthenticated) break CI pipelines for teams with many parallel builds — a private registry in the same AWS region eliminates both rate limits and transfer costs.", "common_mistakes": [ "Using :latest tag — non-deterministic, makes rollbacks impossible.", "Public registry for private application images — code and configuration visible to anyone.", "No image vulnerability scanning — CVEs in base images go undetected.", "No registry cleanup — old images accumulate storage costs; add lifecycle policies." ], "when_to_use": [], "avoid_when": [], "related": [ "containerisation", "docker_multistage", "kubernetes_basics", "container_security" ], "prerequisites": [ "docker_multistage", "continuous_integration", "containerisation" ], "refs": [ "https://docs.aws.amazon.com/AmazonECR/latest/userguide/what-is-ecr.html" ], "bad_code": "# Non-deterministic latest tag:\ndocker build -t myapp:latest .\ndocker push myapp:latest\n# CI deploys latest — but what version is latest?\n# Rollback: push the previous latest back — which was?\n# Impossible to reproduce builds from 6 months ago", "good_code": "# Immutable SHA tag + semantic version:\nGIT_SHA=$(git rev-parse --short HEAD)\ndocker build -t 123456789.dkr.ecr.eu-west-1.amazonaws.com/myapp:$GIT_SHA .\ndocker push 123456789.dkr.ecr.eu-west-1.amazonaws.com/myapp:$GIT_SHA\n\n# Also tag with version:\ndocker tag myapp:$GIT_SHA myapp:v1.2.3\n\n# ECR lifecycle policy: keep last 10 tagged images\n# Scan on push: enabled\n# IAM: only CI role can push", "quick_fix": "Use ECR or GHCR — push on every merge to main with both :latest and :commit-sha tags; scan images for vulnerabilities with Trivy before pushing to production registry", "severity": "medium", "effort": "low", "created": "2026-03-16", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/container_registry", "html_url": "https://codeclaritylab.com/glossary/container_registry", "json_url": "https://codeclaritylab.com/glossary/container_registry.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[Container Registry](https://codeclaritylab.com/glossary/container_registry) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/container_registry" } } } }