Harbor is an open-source cloud native container registry that stores, signs, and scans container images and OCI artifacts. It is a CNCF graduated project (since June 2020) and the most widely adopted open-source container registry, with 30.5k GitHub stars and 5.1k forks.
What is Harbor?
Harbor is a self-hosted container registry that adds vulnerability scanning, content trust, multi-registry replication, and role-based access control on top of the Docker Distribution registry. VMware open-sourced it in 2016, it joined the CNCF in July 2018, and it graduated in June 2020 — making it the first open-source registry to reach CNCF graduated status.
Organizations run Harbor when they need a private container registry with security controls that hosted registries charge for or simply do not offer. Air-gapped environments, regulated industries, and multi-cloud setups are the typical use cases.
How does Harbor scan for vulnerabilities?
Harbor scans container images for known vulnerabilities using pluggable scanner backends. Trivy is the default scanner since Harbor v2.2. Clair and Anchore Enterprise also work through Harbor’s scanner adapter framework, letting organizations choose the scanning engine that fits their existing toolchain.
Scan-on-push policies automatically scan every image when it hits the registry. Reports show CVE IDs, severity levels, affected packages, and fixed versions. Admins can block pulls of images that exceed a severity threshold, which stops vulnerable images from reaching production.
Does Harbor support image signing?
Harbor supports artifact signing through Cosign (part of the Sigstore project) and Notation for supply chain security. When content trust is enabled on a project, only signed artifacts can be pulled. Unsigned or tampered images get blocked, preventing compromised images from reaching production.
Signatures replicate alongside their associated artifacts. When a replication rule covers a signed image, Harbor replicates the signature too, so the chain of trust holds across registries.
Replication and multi-site deployment
Harbor replicates images between registry instances based on configurable policies. You can filter by repository, tag, or label. Replication runs on a schedule or triggers on push.
Replication targets include other Harbor instances, Docker Hub, AWS ECR, Google GCR/GAR, Azure ACR, and any OCI-compliant registry. This handles multi-datacenter deployments, disaster recovery, and hybrid cloud workflows.
Access control and multi-tenancy
Harbor organizes content into projects. Each project gets its own RBAC policies, scan settings, quota limits, and tag retention rules. Authentication plugs into LDAP, Active Directory, OIDC providers, or the built-in database.
Robot accounts give CI/CD pipelines non-human access with scoped permissions and expiration dates. Audit logs track who pushed, pulled, deleted, or scanned artifacts.
Who should use Harbor?
Harbor is designed for organizations that need a self-hosted container registry with enterprise security controls. Platform teams running Kubernetes in production, companies with data residency requirements, and teams operating in air-gapped or classified environments are typical users. Harbor is free under the Apache 2.0 license with no commercial tiers.
If you only need a hosted registry and your security requirements are basic, Docker Hub or your cloud provider’s registry (ECR, GCR, ACR) may be simpler. Harbor makes sense when you need vulnerability scanning, content trust, RBAC, and replication under your own control.
What are Harbor’s limitations?
Harbor is self-hosted, meaning you provision and maintain the infrastructure: PostgreSQL database, Redis, storage backend, and the Harbor components. That is more operational work than a managed registry. Harbor handles image storage and security only; it does not include CI/CD pipelines or build capabilities. For runtime container security, pair it with Falco or NeuVector.
