Wiz
Uncover hidden risks

Watch how the Wiz platform can expose unseen risks in your cloud environment without drowning your team in alerts.

All articles

Container Registries Explained

A container registry is a service that stores, manages, and distributes application images. Its architecture is designed to ensure availability by providing a centralized resource for container image discovery, distribution, and deployment.

Nicolas Ehrman
5 min read

What is a container registry?

A container registry is a service that stores, manages, and distributes application images. Its architecture is designed to ensure availability by providing a centralized resource for container image discovery, distribution, and deployment. Container registries can either be public or private and can be hosted by a third party or run on-premises. Among public container registries, Docker Hub dominates the market, though there are many other public container registries, such as public offerings (AWS, GCP, Azure) and ISV solutions like JFrog or Nexus.

So how do container registries fit into the cloud-native landscape? To put it simply, there’s never been a more pressing need for cloud-native architecture. In fact, Gartner predicts that by the year 2025, cloud-native platforms are anticipated to host 95% of digital workloads. We're seeing this shift happen right now with the rapid adoption of the cloud-native stack, which is predominantly built around the open-source container orchestration platform Kubernetes.

wiz academy

What is Container Security?

Container security is the process of securing the container pipeline, the content running inside the containers, and the infrastructure on which the containers run.

Read more

Kubernetes deploys applications and takes care of the complexities involved in managing containers, load balancing, storage, routing, scaling, and more. As seen below in Figure 1, this architecture relies heavily on container registries. The key reason for this reliance is that container registries ensure the availability of application images.

Figure 1: Cloud-native architecture

Taking a close look at Figure 1, you’ll find the essential components of modern cloud-native architecture. The app-descriptor YAML file consists of instructions to execute during the application deployment. These instructions include details like the number of replicas, container images, container registry, network policies, and more. (Throughout this article, we use Docker Hub as an example, but it's important to note that other container registries also operate similarly.)

Once the developer creates the application image, it gets pushed to the centralized container registry. The container registry serves as a valuable tool for developers to share and manage image life cycle, playing a crucial role in the cloud-native ecosystem. Any users who want to run the application locally can simply pull the image and run it as a container (Figure 2).

Figure 2: The role of container registries

The benefits of containers

In cloud-native architecture, running application services as containers offers several benefits. Containers are:

  • Lightweight: Containers, unlike virtual machines, share the host operating system's kernel. This leads to better resource utilization and potential cost savings in cloud environments.

  • Portable: Containers encapsulate everything—the application code, external dependencies, OS constructs, and more. This means there’s no need to install extra libraries or dependencies to run them.

  • Modular: For microservices applications, service isolation is key and can be achieved using containers. Separation ensures that updates or changes in one container don’t directly impact others.

Advanced Container Security Best Practices [Cheat Sheet]

This cheat sheet goes beyond the no-brainer container security best practices and explores advanced techniques that you can put into action ASAP. Use this cheat sheet as a quick reference to ensure you have the pro

Download now

A closer look at container registry architecture

Container registries are made up of one or more image repositories. As previously mentioned, these repositories can be set to public or private. Inside an image repository, you'll find one or more images (Figure 3).

Figure 3: Docker Hub architecture

Versioning and tagging

Images in container registries represent different versions of an application. Versioning is usually managed through tagging. Each image can have multiple tags, which are often used to represent different versions of the same application or service. When you push an image to the container registry, you can assign it one or more tags. There are two main types of tags:

  1. Latest tag: When no tag is given, the container registry automatically tags the pushed image with the “latest” tag. It's a common practice to indicate the image's most current stable version with the “latest” tag.

  2. Custom tags: These are frequently used to identify specific build variations (e.g., alpine:3.19.0, alpine:3.18.5).

Cataloging

Cataloging is the process of organizing and listing all of the images that are accessible in a repository. This can be done in several ways:

  • Searching and filtering: Users can search for images using various filters, such as star ratings, official status, or automated build status. 

  • Image versioning in repositories: Users can pull specific versions of images using tags.

  • Image layers: Images are composed of layers, and the container registry stores information about these layers and efficiently manages the layers to reduce storage and speed up image pulling using the build cache. 

Security

  • Container registries are designed with security features to protect container images. By default, you'll find features like:

    • RBAC (role-based access control): This allows the assignment of user roles, each with specific permissions. It helps control who can push, pull, or manage repositories and images.

    • Automated scanning: Some container registries provide automated scanning for Common Vulnerabilities and Exposures (CVEs).

    • Image signing: Tools like Docker Content Trust enable the digital signing of images. This helps users verify that an image hasn’t been tampered with before pulling it.

    • Activity logs: Container registries keep logs of activities, including pushing, pulling, and deleting images.

Container registries and CI/CD pipelines

Now that we’ve looked at container registries and their architecture, let’s explore some of their industrial use cases. Container registries play a vital role in scalable continuous integration and continuous development (CI/CD) pipelines.

Figure 4: CI/CD pipeline workflow

Figure 4 demonstrates a CI/CD pipeline on Microsoft Azure. In this workflow, container registries play an integral role. Once Azure Pipelines builds the container image, it's pushed to a container registry like Docker Hub or Azure Container Registry. After this CI process, the CD process begins. Azure Pipelines pulls the image from the container registry, runs several test cases, and finally deploys the containerized application to the production server. 

This entire process can be automated because container registries offer centralized management for container images while providing seamless integration with CI/CD tools such as Github Actions, Azure Pipelines, Jenkins, and Argo CD. 

CI/CD Pipeline Security Best Practices [Cheat Sheet]

In this 13 page cheat sheet we'll cover best practices in the following areas of the CI/CD pipeline: Infrastructure security, code security, secrets management, access and authentication, monitoring and response

Download Cheat Sheet

Container registry and orchestration

When dealing with microservices applications that involve hundreds of containers, the complexity of managing aspects like network, storage, scaling, load balancing, and security increases exponentially. This is where the concept of orchestration comes in. Container orchestration tools provide a higher-level abstraction that allows us to manage the complexity of deploying a large number of containers.

Figure 5 illustrates how rolling out updates are handled in the popular container orchestration platform Kubernetes, demonstrating how container registries are involved in the orchestration process.

Figure 5: Rolling out an update in a Kubernetes cluster

Whenever a new update needs to be rolled out, Kubernetes cluster maintainers modify just the container image tag in the YAML app descriptor file. That’s the only action the application maintainer needs to perform. The rest of the complexity—such as deciding which node to deploy, load balancing, and creating new ReplicaSets—will be managed by the container orchestration tool with the support of the container registry.

Conclusion

In the rapidly evolving landscape of cloud-native technologies, the importance of container registries can't be overstated. More than just storage locations for application images, these registries are essential to the smooth functioning of modern software architecture. They stand at the heart of orchestrating and managing microservices applications, ensuring that everything from deployment to scalability is handled with precision. A misconfiguration could open the door for threat actors to tamper with the container images or even delete them, potentially leading to disruptions or security breaches.

The overall security of a container is a multifaceted discipline, extending beyond just container registries. It encompasses managing various aspects of the container life cycle, including images, registries, deployments, runtime, secrets, assets, network, orchestration, storage, and more. And in environments with multiple components, there can be numerous known and unknown security threats. Therefore, continuous monitoring and compliance assessments are essential. Enter Wiz

Our platform offers agentless scanning with comprehensive coverage across various resources such as PaaS, virtual machines, containers, serverless functions, and sensitive data without disrupting your business operations or requiring ongoing maintenance.

Figure 6: Wiz’s agentless scanning dashboard detects non-compliant containers in Kubernetes clusters

 Wiz offers comprehensive solutions for security and compliance that complement the capabilities of container registries. See for yourself how our industry-leading platform can secure your container registries as well as the rest of your cloud infrastructure: Schedule a demo today.

What's running in your containers?

Learn why CISOs at the fastest growing companies use Wiz to uncover blind spots in their containerized environments.

Get a demo

Continue reading

Credential Stuffing Explained

Wiz Experts Team

Credential stuffing is a type of cyberattack where automated tools are used to repeatedly inject stolen username/password combinations into various services to gain access to legitimate users’ accounts in addition to those that were originally breached.

Container Orchestration

Nicolas Ehrman

Container orchestration involves organizing groups of containers that make up an application, managing their deployment, scaling, networking, and their availability to ensure they're running optimally.

Native Azure Security Tools

Wiz Experts Team

This blog explores the significance of security in Azure environments and provides an overview of native as well as third-party security tools available to improve an organization’s Azure security stance.

Cross-site scripting

Wiz Experts Team

Cross-site scripting (XSS) is a vulnerability where hackers insert malicious scripts inside web applications with the aim of executing them in a user’s browser.