IT Get in touch

Harbor: enterprise cloud-native container registry

Harbor 1.0 (2016, CNCF graduated 2020) by VMware: open source container registry with RBAC, integrated vulnerability scanning, signing, multi-site replication, OCI artifacts. Self-hosted alternative to Docker Hub.

Open SourceCyber Security
Open SourceCyber Security HarborVMwareContainer RegistryOCIKubernetesCNCFOpen Source
Linux Services & Systems

Linux Services & Systems

Domains, hosting, PEC, email infrastructure, network services and Linux systems. Assistance and management of Open Source infrastructure.

Discover →

Enterprise container registry

Docker Registry (2013, open source) is minimal: push/pull, nothing else. In enterprise we need: RBAC, audit, vulnerability scanning, image signing, geographic replica, Helm chart hosting, retention policies. Harbor is the solution.

The release

Harbor is developed by VMware China (Project Harbor) and released open source in March 2016. Version 1.0 in July 2017. Donated to CNCF in July 2018, incubating, graduated in June 2020. Apache 2.0 licence. Written in Go.

Features

  • OCI-compliant registry — Docker, OCI images, Helm charts (OCI artifact), CNAB, WASM
  • RBAC and project isolation — projects with roles (Admin, Developer, Master, Guest, Limited Guest)
  • LDAP/AD/OIDC — enterprise SSO integration
  • Vulnerability scanning — integrated with Trivy (default), Clair, Snyk, Anchore
  • Image signingNotation (Sigstore Cosign) for signing and verification
  • Replication — push/pull between Harbor instances or external registries (Docker Hub, ECR, ACR, GCR, GAR, quay.io)
  • Retention & quota — policies on disk space, age, tag count
  • Tag immutability — prevents tag overwrite in prod environments
  • Garbage collection — cleanup of unused layers
  • Webhook — CI/CD notifications on push
  • Robot accounts — non-user tokens for CI/CD

Use cases

  • Private registry on-prem or cloud
  • Mirror of public registries (proxy cache)
  • Supply chain governance — scan + signing before deploy
  • Multi-region — geographic pull replica
  • DR — fallback registry available

Deployment

  • Docker Compose for single-node
  • Helm chart for Kubernetes
  • Harbor Operator for native K8s
  • Istio integration for edge/in-cluster

Competitors

  • Docker Hub — SaaS, public
  • GitHub Container Registry (GHCR) — integrated GitHub
  • GitLab Container Registry — integrated GitLab
  • quay.io (Red Hat) — SaaS/on-prem
  • AWS ECR, Azure ACR, GCP GAR — managed cloud
  • Nexus Repository (Sonatype) — multi-format, registry included
  • JFrog Artifactory — commercial, multi-format

In the Italian context

Harbor is widely adopted in Italian companies for:

  • Data sovereignty — registry in Italian DC, no public cloud
  • Banks and fintech — supply chain policies
  • Digital PA — PSN projects, sovereign cloud
  • MSPs — managed registry offering for clients
  • Private K8s clusters — fallback if Docker Hub rate-limits
  • Air-gapped environments — defence, industrial

Often combined with Trivy scan + Cosign signing + Kyverno verification before admission control.

References: Harbor (VMware, March 2016). Version 1.0 July 2017. Donated to CNCF (July 2018). CNCF graduated (June 2020). Apache 2.0 licence. Written in Go. OCI-compliant, Trivy/Clair scanning, Cosign signing.

Need support? Under attack? Service Status
Need support? Under attack? Service Status