Connecting a Registry
A registry connection in HarborGuard is the source of truth for an image catalog. Once connected, HarborGuard enumerates repositories and tags, applies your include/exclude filters, and dispatches scans on a schedule (or in response to a push event, where the registry supports it). Stored credentials are encrypted at rest.
Supported providers
| Provider | Auth methods | Push-event sync | Tag-filter granularity | Notes |
|---|---|---|---|---|
| Docker Hub | Username + access token, anonymous (public repos only) | Webhook (paid plans) | Glob include/exclude | Anonymous pulls are heavily rate-limited; an authenticated token is strongly recommended even for public images |
| AWS ECR | IAM access key + secret, IAM role assumption from a connected sensor | EventBridge via PutImage | Glob include/exclude | Per-region; cross-account requires explicit repository-policy grants |
| Google Artifact Registry | Service-account JSON key (_json_key), Workload Identity from sensor | Pub/Sub on gcr topic | Glob include/exclude | Legacy gcr.io and modern *-docker.pkg.dev use different hostnames and IAM roles |
| Azure ACR | Service principal (client ID + secret), AAD token, admin user, managed identity from sensor | Event Grid (Premium SKU) | Glob include/exclude | Tag immutability and content-trust policies affect what HarborGuard can re-scan |
| GHCR | Personal access token (read:packages), GitHub App token | Repository package webhook | Glob include/exclude | User vs organization namespaces are separate; visibility flips silently when a repo is forked |
| GitLab Container Registry | Personal access token, deploy token, project access token, CI job token | Project Container Registry webhook | Glob include/exclude | Self-managed instances frequently expose the registry on port :5050 |
| Harbor | Robot account (recommended), username + password | Project webhook | Glob include/exclude | Robots are project-scoped; a robot from project A cannot list project B |
| JFrog Artifactory | Identity token (recommended), API key, username + password | Repository webhook | Glob include/exclude | Multiple Docker repositories can share one Artifactory host; the path is part of the registry URL |
| Quay.io | Robot account (recommended), OAuth token, username + password | Repository notification | Glob include/exclude | Robot accounts are scoped per-namespace; + in usernames is significant |
| Sonatype Nexus | Username + password, user token | None (poll-only) | Glob include/exclude | Group repositories aggregate hosted + proxy; HarborGuard scans whatever is materialized at pull time |
| Custom / OCI Distribution | Basic auth, bearer token, anonymous | None (poll-only) | Glob include/exclude | Any spec-compliant /v2/ endpoint; insecure HTTP must be opted in explicitly |
Connecting a registry
The flow is the same for every provider. From Dashboard → Registries → Connect Registry:
- Provider — Type the registry URL. HarborGuard auto-detects the provider from the hostname (
*.dkr.ecr.*.amazonaws.com→ ECR,*.azurecr.io→ ACR,*-docker.pkg.dev→ GAR, etc.). For self-hosted Harbor or Nexus, the wizard falls back to Custom — pick the provider explicitly. - Scan method — Choose Cloud (HarborGuard pulls images from a managed scanner) or Sensor (a container you run inside your network does the pull). Sensor mode is the right answer for air-gapped networks, IP-restricted registries, and any registry that authenticates via instance metadata (IAM roles, managed identity, Workload Identity).
- Credentials — Enter the credential type required by the provider. The wizard adapts the form: ECR shows access key + secret, every other cloud provider shows username + password/token. Sensor mode skips this step entirely — the sensor authenticates locally.
- Allow HTTP / insecure — Only available when the URL is
http://or scheme-less. Use this only for trusted internal registries; HarborGuard will refuse to enable it oncehttps://is in the URL. - Test — The Test Connection button issues a
GET /v2/against your registry, follows the Docker Registry v2 token-auth flow if challenged, and reportsreachable/authenticated/latencyMs. A 401 with no credentials reports as "reachable but unauthenticated"; a 401 with credentials reports as "authentication failed". - Save — On save the registry is created and (for sensor mode) a scoped API key is minted. The wizard then either polls for the sensor's first heartbeat or (for cloud mode) confirms the connection and schedules the first sync.
The default schedule is daily. Push-event sync (on_push) is only meaningful for providers that emit a webhook HarborGuard can subscribe to — see each provider's page.
Per-registry guides
AWS ECR
IAM, cross-account access, and regional considerations for Elastic Container Registry.
Azure ACR
Service principal, managed identity, and AAD authentication.
Custom / OCI
Generic Distribution-spec endpoints and any compliant /v2/ registry.
Docker Hub
Rate limits and access tokens for Docker Hub repositories.
GitHub GHCR
Personal access token scopes and package visibility rules.
GitLab
Deploy tokens, CI job tokens, and self-managed GitLab registries.
Google Artifact Registry
GAR vs legacy GCR plus service-account JSON authentication.
Harbor
Robot accounts and project-scoped permissions for Harbor instances.
JFrog Artifactory
Identity tokens and Docker repository paths inside Artifactory.
Nexus
Group repositories and user-token authentication for Sonatype Nexus.
Quay
Robot accounts and notification webhooks for Quay.io repositories.