Skip to content
API ReferenceEndpoints

Registries

Registries are the source of every image HarborGuard scans. Each registry is bound to one organization, is encrypted at rest using envelope encryption, and may run in either cloud mode (HarborGuard pulls images directly) or sensor mode (a HarborGuard sensor inside your network performs the pull and reports back).

Base path: /api/registries

MethodPathMin role
GET/api/registriesviewer (any)
POST/api/registriesadmin
GET/api/registries/{registryId}viewer (any)
PUT/api/registries/{registryId}admin
DELETE/api/registries/{registryId}admin
POST/api/registries/test-connectiondeveloper
POST/api/registries/{registryId}/syncadmin
GET/api/registries/{registryId}/sensor-statusviewer (any)
POST/api/registries/schedule-scansadmin

Supported providers

The provider enum is fixed:

DOCKER_HUB | GHCR | AWS_ECR | AZURE_ACR | GOOGLE_GAR
GITLAB     | HARBOR | JFROG  | QUAY      | NEXUS
DOCKER_REGISTRY (any v2-compatible) | CUSTOM

When scanMethod = sensor on POST /registries, the response includes sensorApiKey (a one-time hg_ak_* value) used by the sensor to authenticate uploads. Credentials are never returned by GET — they are encrypted with a per-registry data encryption key (DEK), which is itself wrapped by the org's key encryption key (KEK).

GET
/registries
/registries

The Authorization access token

Authorization

X-API-Key<token>

Organization API key (hg_ak_*). Created from Settings → API Keys.

In: header

Authorization
Required
Bearer <token>

Authorization: Bearer hg_ak_... for organization API keys, or Authorization: Bearer hg_pat_... for Personal Access Tokens that impersonate a specific user.

In: header

next-auth.session-token<token>

NextAuth session cookie. Web only — set automatically at sign-in. Not usable for server-to-server.

In: cookie

curl -X GET "https://harborguard.co/api/registries" \
  -H "X-API-Key: <token>"

OK

{
  "data": [
    {
      "id": "string",
      "name": "string",
      "provider": "DOCKER_HUB",
      "url": "string",
      "scanMethod": "cloud",
      "scanning": {
        "schedule": "manual",
        "scanners": [
          "trivy"
        ],
        "tagInclude": "string",
        "tagExclude": "string"
      },
      "imageCount": 0,
      "health": {
        "status": "healthy",
        "lastSyncAt": "2019-08-24T14:15:22Z"
      },
      "sensorApiKey": "string",
      "createdAt": "2019-08-24T14:15:22Z",
      "updatedAt": "2019-08-24T14:15:22Z"
    }
  ]
}

POST
/registries
/registries

The Authorization access token

Authorization

X-API-Key<token>

Organization API key (hg_ak_*). Created from Settings → API Keys.

In: header

Authorization
Required
Bearer <token>

Authorization: Bearer hg_ak_... for organization API keys, or Authorization: Bearer hg_pat_... for Personal Access Tokens that impersonate a specific user.

In: header

next-auth.session-token<token>

NextAuth session cookie. Web only — set automatically at sign-in. Not usable for server-to-server.

In: cookie

Request Body

application/jsonRequired

name
Required
string

provider
Required
string

Value in: "DOCKER_HUB" | "GHCR" | "AWS_ECR" | "AZURE_ACR" | "GOOGLE_GAR" | "GITLAB" | "HARBOR" | "JFROG" | "QUAY" | "NEXUS" | "DOCKER_REGISTRY" | "CUSTOM"

urlstring

Required for DOCKER_REGISTRY, HARBOR, JFROG, NEXUS, GITLAB, CUSTOM.

credentialsUsernamePassword | UsernamePat | AwsEcr | GoogleGar | AzureAcr | HarborRobot | JfrogIdentityToken

Provider-specific credential payload. Exact required fields vary by provider.

scanMethodstring

Default: "cloud"Value in: "cloud" | "sensor"

scannersarray<string>

Default: ["trivy","grype","syft"]

schedulestring

Default: "daily"Value in: "manual" | "on_push" | "daily" | "weekly"

includeTagsstring

excludeTagsstring

insecureboolean

Default: false
curl -X POST "https://harborguard.co/api/registries" \
  -H "X-API-Key: <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Acme GHCR",
    "provider": "GHCR",
    "url": "https://ghcr.io",
    "credentials": {
      "username": "deploy-bot",
      "pat": "ghp_xxx"
    },
    "scanMethod": "cloud",
    "schedule": "daily",
    "includeTags": "v*"
  }'

Created

GET
/registries/{registryId}
/registries/{registryId}

The Authorization access token

Authorization

X-API-Key<token>

Organization API key (hg_ak_*). Created from Settings → API Keys.

In: header

Authorization
Required
Bearer <token>

Authorization: Bearer hg_ak_... for organization API keys, or Authorization: Bearer hg_pat_... for Personal Access Tokens that impersonate a specific user.

In: header

next-auth.session-token<token>

NextAuth session cookie. Web only — set automatically at sign-in. Not usable for server-to-server.

In: cookie

Path Parameters

registryId
Required
string

curl -X GET "https://harborguard.co/api/registries/string" \
  -H "X-API-Key: <token>"

OK

{
  "data": {
    "id": "string",
    "name": "string",
    "provider": "DOCKER_HUB",
    "url": "string",
    "scanMethod": "cloud",
    "scanning": {
      "schedule": "manual",
      "scanners": [
        "trivy"
      ],
      "tagInclude": "string",
      "tagExclude": "string"
    },
    "imageCount": 0,
    "health": {
      "status": "healthy",
      "lastSyncAt": "2019-08-24T14:15:22Z"
    },
    "sensorApiKey": "string",
    "createdAt": "2019-08-24T14:15:22Z",
    "updatedAt": "2019-08-24T14:15:22Z"
  }
}

PUT
/registries/{registryId}
/registries/{registryId}

The Authorization access token

Authorization

X-API-Key<token>

Organization API key (hg_ak_*). Created from Settings → API Keys.

In: header

Authorization
Required
Bearer <token>

Authorization: Bearer hg_ak_... for organization API keys, or Authorization: Bearer hg_pat_... for Personal Access Tokens that impersonate a specific user.

In: header

next-auth.session-token<token>

NextAuth session cookie. Web only — set automatically at sign-in. Not usable for server-to-server.

In: cookie

Request Body

application/jsonRequired

namestring

scanningobject

Path Parameters

registryId
Required
string

curl -X PUT "https://harborguard.co/api/registries/string" \
  -H "X-API-Key: <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "scanning": {
      "schedule": "weekly",
      "tagInclude": "release-*"
    }
  }'

OK

DELETE
/registries/{registryId}
/registries/{registryId}

The Authorization access token

Authorization

X-API-Key<token>

Organization API key (hg_ak_*). Created from Settings → API Keys.

In: header

Authorization
Required
Bearer <token>

Authorization: Bearer hg_ak_... for organization API keys, or Authorization: Bearer hg_pat_... for Personal Access Tokens that impersonate a specific user.

In: header

next-auth.session-token<token>

NextAuth session cookie. Web only — set automatically at sign-in. Not usable for server-to-server.

In: cookie

Path Parameters

registryId
Required
string

curl -X DELETE "https://harborguard.co/api/registries/string" \
  -H "X-API-Key: <token>"

OK

POST
/registries/test-connection
/registries/test-connection

The Authorization access token

Authorization

X-API-Key<token>

Organization API key (hg_ak_*). Created from Settings → API Keys.

In: header

Authorization
Required
Bearer <token>

Authorization: Bearer hg_ak_... for organization API keys, or Authorization: Bearer hg_pat_... for Personal Access Tokens that impersonate a specific user.

In: header

next-auth.session-token<token>

NextAuth session cookie. Web only — set automatically at sign-in. Not usable for server-to-server.

In: cookie

Request Body

application/jsonRequired

provider
Required
string

Value in: "DOCKER_HUB" | "GHCR" | "AWS_ECR" | "AZURE_ACR" | "GOOGLE_GAR" | "GITLAB" | "HARBOR" | "JFROG" | "QUAY" | "NEXUS" | "DOCKER_REGISTRY" | "CUSTOM"

urlstring

credentialsUsernamePassword | UsernamePat | AwsEcr | GoogleGar | AzureAcr | HarborRobot | JfrogIdentityToken

Provider-specific credential payload. Exact required fields vary by provider.

insecureboolean

Default: false
curl -X POST "https://harborguard.co/api/registries/test-connection" \
  -H "X-API-Key: <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "provider": "DOCKER_HUB",
    "url": "string",
    "credentials": {
      "username": "string",
      "password": "string"
    },
    "insecure": false
  }'

OK

POST
/registries/{registryId}/sync
/registries/{registryId}/sync

The Authorization access token

Authorization

X-API-Key<token>

Organization API key (hg_ak_*). Created from Settings → API Keys.

In: header

Authorization
Required
Bearer <token>

Authorization: Bearer hg_ak_... for organization API keys, or Authorization: Bearer hg_pat_... for Personal Access Tokens that impersonate a specific user.

In: header

next-auth.session-token<token>

NextAuth session cookie. Web only — set automatically at sign-in. Not usable for server-to-server.

In: cookie

Path Parameters

registryId
Required
string

curl -X POST "https://harborguard.co/api/registries/string/sync" \
  -H "X-API-Key: <token>"

Accepted

GET
/registries/{registryId}/sensor-status
/registries/{registryId}/sensor-status

The Authorization access token

Authorization

X-API-Key<token>

Organization API key (hg_ak_*). Created from Settings → API Keys.

In: header

Authorization
Required
Bearer <token>

Authorization: Bearer hg_ak_... for organization API keys, or Authorization: Bearer hg_pat_... for Personal Access Tokens that impersonate a specific user.

In: header

next-auth.session-token<token>

NextAuth session cookie. Web only — set automatically at sign-in. Not usable for server-to-server.

In: cookie

Path Parameters

registryId
Required
string

curl -X GET "https://harborguard.co/api/registries/string/sensor-status" \
  -H "X-API-Key: <token>"

OK

POST
/registries/schedule-scans
/registries/schedule-scans

The Authorization access token

Authorization

X-API-Key<token>

Organization API key (hg_ak_*). Created from Settings → API Keys.

In: header

Authorization
Required
Bearer <token>

Authorization: Bearer hg_ak_... for organization API keys, or Authorization: Bearer hg_pat_... for Personal Access Tokens that impersonate a specific user.

In: header

next-auth.session-token<token>

NextAuth session cookie. Web only — set automatically at sign-in. Not usable for server-to-server.

In: cookie

curl -X POST "https://harborguard.co/api/registries/schedule-scans" \
  -H "X-API-Key: <token>"

Accepted

Previous

Scans

Next

Images

On this page