Sonatype Nexus
Nexus Repository Manager's Docker support is unusual: every Docker repo (hosted, proxy, or group) needs its own HTTP connector — a dedicated port — because Nexus's main HTTP listener doesn't speak /v2/. The result is that every Nexus Docker registry has the form nexus.example.com:<connector-port>, and the port is part of the registry identity.
Auth options
| Method | When to use | HarborGuard fields |
|---|---|---|
| Username + password | Default; works against the local realm | Standard fields |
| User token | Recommended over password (supports SSO accounts) | Username = the token's name code, Password = token pass code |
| Anonymous | Public read-only Nexus Docker repos | Leave credentials blank |
There is no Docker-specific token primitive — you reuse Nexus user tokens.
Add the registry
- Registries → Connect Registry.
- Registry URL —
nexus.example.com:8082(or whichever port the connector listens on; check Repository → Repositories for your Docker repo's HTTP connector port). - Nexus is not auto-detected; pick Sonatype Nexus in the wizard.
- Cloud mode: username + password (or user token name code / pass code).
- If Nexus is HTTP-only, enable Allow HTTP / insecure.
- Save.
Required permissions
The user / token needs:
nx-repository-view-docker-<repo-name>-read— list and pull from the specific repo.nx-repository-view-docker-<repo-name>-browse— list catalog (recommended).
Apply via a custom role or the bundled nx-anonymous/nx-admin roles. The default nx-anonymous role has no Docker permissions on private repos.
Push-event sync
Nexus does not emit registry push webhooks compatible with HarborGuard. The schedule options that work for Nexus are manual, daily, and weekly. If you need close-to-real-time scanning of Nexus content, trigger HarborGuard from your CI pipeline immediately after the push, using the registry's API key endpoint.
Common pitfalls
- The connector port. A Nexus instance with three Docker repos has three different ports. Don't guess — read the connector port from each repo's "Repository Connector" setting. Hosted, proxy, and group repos each need their own connector.
- Group repositories. A Docker group aggregates a hosted + proxy. Pulling through the group is fine, but
/v2/_catalogreturns the union — meaning HarborGuard scans whatever a pull resolves to, including upstream proxied images. You can end up scanning all of Docker Hub through your proxy if you don't filter tags aggressively. - HTTPS termination. Nexus does not terminate TLS by default. The connector serves plain HTTP; a separate Apache / NGINX reverse proxy handles HTTPS. The URL you put into HarborGuard should match what your proxy exposes (HTTPS host) or the raw connector (HTTP, with insecure enabled).
- Repository-relative paths. Nexus Docker repos are flat — image names don't include the repo name.
docker.example.com:8082/myimage:1.0is correct, notdocker.example.com:8082/myrepo/myimage:1.0. - User tokens disabled. "User Tokens" is a Pro feature and must be enabled in Nexus before generating one. On OSS Nexus, fall back to username + password.
Troubleshooting
| Symptom | Likely cause |
|---|---|
Connection refused on :443 | Nexus connector listens on a different port; use the right one |
| 401 with correct password | SSO-only user with no local realm credentials — issue a user token |
| Catalog returns thousands of images for a small org | Group repository proxying Docker Hub — restrict the proxy or filter tags |
/v2/_catalog returns 404 | Connector configured but Allow anonymous pull is off and the request was unauthenticated |
| TLS errors | Reverse proxy presents a different cert than what's in the URL |