bagelhole/container-registries
devops/containers/container-registries/SKILL.md
Manage container registries including ECR, ACR, GCR, and Docker Hub. Push and pull images, configure authentication, set up repository policies, and implement image lifecycle management. Use when working with container image storage and distribution.
$ install --global
skillsauthnpx skillsauth add bagelhole/devops-security-agent-skills container-registriesInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 3, 2026, 5:02 PM66.5s1 file scanned
SKILL.md
- name:
- container-registries
- description:
- Manage container registries including ECR, ACR, GCR, and Docker Hub. Push and pull images, configure authentication, set up repository policies, and implement image lifecycle management. Use when working with container image storage and distribution.
- license:
- MIT
- author:
- devops-skills
- version:
- 1.0
Container Registries
Store, manage, and distribute container images across cloud and self-hosted registries.
When to Use This Skill
Use this skill when:
- Pushing and pulling container images
- Configuring registry authentication
- Setting up image retention policies
- Managing private container registries
- Implementing image scanning and security
Prerequisites
- Docker or Podman installed
- Cloud CLI tools (AWS CLI, az, gcloud) for respective registries
- Appropriate IAM permissions
Docker Hub
Authentication
# Login
docker login
# Login with token
echo "$DOCKER_TOKEN" | docker login -u username --password-stdin
Push/Pull Images
# Tag image
docker tag myapp:latest username/myapp:latest
# Push
docker push username/myapp:latest
# Pull
docker pull username/myapp:latest
Automated Builds
Configure in Docker Hub UI:
- Connect GitHub/Bitbucket repository
- Set build rules (branch → tag mapping)
- Configure build context and Dockerfile path
Amazon ECR
Setup
# Create repository
aws ecr create-repository \
--repository-name myapp \
--image-scanning-configuration scanOnPush=true \
--encryption-configuration encryptionType=AES256
# Get registry URI
REGISTRY=$(aws ecr describe-repositories \
--repository-names myapp \
--query 'repositories[0].repositoryUri' \
--output text | cut -d'/' -f1)
Authentication
# Login (Docker)
aws ecr get-login-password --region us-east-1 | \
docker login --username AWS --password-stdin $REGISTRY
# Login with credential helper
# Add to ~/.docker/config.json:
{
"credHelpers": {
"123456789.dkr.ecr.us-east-1.amazonaws.com": "ecr-login"
}
}
Push/Pull
# Tag and push
docker tag myapp:latest $REGISTRY/myapp:latest
docker push $REGISTRY/myapp:latest
# Pull
docker pull $REGISTRY/myapp:latest
Lifecycle Policy
# Create lifecycle policy
aws ecr put-lifecycle-policy \
--repository-name myapp \
--lifecycle-policy-text '{
"rules": [
{
"rulePriority": 1,
"description": "Keep last 10 images",
"selection": {
"tagStatus": "any",
"countType": "imageCountMoreThan",
"countNumber": 10
},
"action": {
"type": "expire"
}
}
]
}'
Repository Policy
# Allow cross-account access
aws ecr set-repository-policy \
--repository-name myapp \
--policy-text '{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CrossAccountPull",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::OTHER_ACCOUNT:root"
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
]
}
]
}'
Azure Container Registry (ACR)
Setup
# Create registry
az acr create \
--resource-group mygroup \
--name myregistry \
--sku Standard \
--admin-enabled false
# Get login server
az acr show --name myregistry --query loginServer -o tsv
Authentication
# Login with Azure CLI
az acr login --name myregistry
# Login with service principal
docker login myregistry.azurecr.io \
-u $SP_APP_ID \
-p $SP_PASSWORD
# Get access token
az acr login --name myregistry --expose-token
Push/Pull
# Tag and push
docker tag myapp:latest myregistry.azurecr.io/myapp:latest
docker push myregistry.azurecr.io/myapp:latest
# ACR Build (build in cloud)
az acr build \
--registry myregistry \
--image myapp:latest \
--file Dockerfile .
Retention Policy
# Enable retention policy
az acr config retention update \
--registry myregistry \
--status enabled \
--days 30 \
--type UntaggedManifests
Geo-Replication
# Enable replication
az acr replication create \
--registry myregistry \
--location westeurope
# List replications
az acr replication list --registry myregistry
Google Container Registry (GCR) / Artifact Registry
Setup (Artifact Registry)
# Create repository
gcloud artifacts repositories create myrepo \
--repository-format=docker \
--location=us-central1 \
--description="Docker repository"
Authentication
# Configure Docker auth
gcloud auth configure-docker us-central1-docker.pkg.dev
# Or use credential helper
gcloud auth print-access-token | \
docker login -u oauth2accesstoken --password-stdin \
https://us-central1-docker.pkg.dev
Push/Pull
# Tag for Artifact Registry
docker tag myapp:latest \
us-central1-docker.pkg.dev/PROJECT_ID/myrepo/myapp:latest
# Push
docker push us-central1-docker.pkg.dev/PROJECT_ID/myrepo/myapp:latest
# Pull
docker pull us-central1-docker.pkg.dev/PROJECT_ID/myrepo/myapp:latest
Cleanup Policy
# Create cleanup policy
gcloud artifacts repositories set-cleanup-policies myrepo \
--location=us-central1 \
--policy=policy.json
# policy.json
{
"name": "delete-old",
"action": {"type": "Delete"},
"condition": {
"olderThan": "30d",
"tagState": "untagged"
}
}
GitHub Container Registry (GHCR)
Authentication
# Login with PAT
echo "$GITHUB_TOKEN" | docker login ghcr.io -u USERNAME --password-stdin
Push/Pull
# Tag
docker tag myapp:latest ghcr.io/OWNER/myapp:latest
# Push
docker push ghcr.io/OWNER/myapp:latest
# Pull
docker pull ghcr.io/OWNER/myapp:latest
Visibility Settings
Configure in GitHub:
- Go to package settings
- Change visibility (public/private)
- Manage access for teams/users
Self-Hosted Registry
Deploy with Docker
# Run registry
docker run -d -p 5000:5000 \
--name registry \
-v registry-data:/var/lib/registry \
registry:2
# Configure TLS
docker run -d -p 443:5000 \
--name registry \
-v /certs:/certs \
-v registry-data:/var/lib/registry \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
registry:2
Harbor Registry
# Download Harbor
wget https://github.com/goharbor/harbor/releases/download/v2.9.0/harbor-online-installer-v2.9.0.tgz
tar xzvf harbor-online-installer-v2.9.0.tgz
# Configure harbor.yml
# Set hostname, https certificate, admin password
# Install
./install.sh --with-trivy --with-chartmuseum
Image Security
Vulnerability Scanning
# ECR - Enable scan on push
aws ecr put-image-scanning-configuration \
--repository-name myapp \
--image-scanning-configuration scanOnPush=true
# Get scan results
aws ecr describe-image-scan-findings \
--repository-name myapp \
--image-id imageTag=latest
# ACR - Scan with Defender
az acr task create \
--registry myregistry \
--name scan-images \
--cmd "mcr.microsoft.com/azure-cli az acr run-scan"
Image Signing
# Enable content trust
export DOCKER_CONTENT_TRUST=1
# Sign image on push
docker push myregistry/myapp:latest
# Verify signature
docker trust inspect myregistry/myapp:latest
Common Issues
Issue: Authentication Expired
Problem: Push/pull fails with auth error Solution: Re-run login command, check credential helper
Issue: Image Not Found
Problem: Pull fails with manifest unknown Solution: Verify tag exists, check registry URL
Issue: Push Permission Denied
Problem: Cannot push to repository Solution: Check IAM permissions, verify repository exists
Issue: Rate Limiting (Docker Hub)
Problem: Too many requests error Solution: Authenticate for higher limits, use pull-through cache
Best Practices
- Enable vulnerability scanning on all repositories
- Implement lifecycle policies to manage storage costs
- Use immutable tags for production images
- Configure cross-region replication for availability
- Use service accounts/principals for CI/CD authentication
- Enable audit logging for compliance
- Implement image signing for supply chain security
- Use pull-through cache to avoid rate limits
Related Skills
- docker-management - Building images
- container-scanning - Security scanning
- aws-iam - AWS permissions
Related Skills
bagelhole/sre-dashboards
development
VerifiedTrustedCommunity
Design and operationalize SRE dashboards that surface reliability, latency, error, saturation, and capacity signals across services. Use when building observability views for SLOs, incident response, and executive reliability reporting.
28SKILL.mdUpdated May 23, 2026
bagelhole/openclaw-security-hardening
testing
VerifiedTrustedCommunity
Harden OpenClaw self-hosted environments with baseline host controls, auth tightening, secret handling, network segmentation, and safe update/rollback workflows. Use when deploying OpenClaw in home labs, startups, or production-like local AI infrastructure.
28SKILL.mdUpdated Apr 3, 2026
bagelhole/vector-database-ops
devops
VerifiedTrustedCommunity
Deploy, manage, and optimize vector databases for AI applications. Covers Qdrant, Weaviate, pgvector, and Pinecone — collection management, indexing strategies, backup, and performance tuning for production RAG and semantic search workloads.
28SKILL.mdUpdated Apr 3, 2026
bagelhole/model-serving-kubernetes
testing
VerifiedTrustedCommunity
Deploy ML models on Kubernetes with KServe (formerly KFServing) and NVIDIA Triton Inference Server. Includes canary deployments, autoscaling, model versioning, A/B testing, and GPU resource management for production model serving.
28SKILL.mdUpdated Apr 3, 2026