Skip to main content
Global
AIMenta
H

Harbor

by CNCF

CNCF open-source container registry with private image hosting, Trivy vulnerability scanning, content trust (image signing), and role-based access control for APAC Kubernetes platform engineering teams.

Visit Harbor (opens in new tab) Get a recommendation
AIMenta verdict
Recommended
5/5

"Harbor is the CNCF open-source container registry for APAC Kubernetes teams — private Docker image hosting with vulnerability scanning, content trust, and RBAC. Best for APAC platform teams wanting self-hosted private container registry without commercial registry licensing."

Features
7
Use cases
4
Watch outs
4
What it does

Key features

  • Private container registry — self-hosted OCI-compliant image registry for APAC Kubernetes teams
  • Trivy scanning — integrated open-source CVE scanning for all stored container images
  • Content trust — Notary v2 and Cosign image signing for APAC supply chain integrity verification
  • Project-based RBAC — team-level container image access control with robot accounts for CI/CD
  • Replication — image synchronisation between Harbor instances and cloud registries (ECR, GCR)
  • Helm chart hosting — OCI-compliant Helm chart storage alongside container images
  • Audit logging — complete registry operation audit trail for APAC compliance requirements
When to reach for it

Best for

  • APAC Kubernetes platform teams wanting self-hosted private container registry without Docker Hub or ECR dependency
  • DevSecOps teams requiring integrated container vulnerability scanning and supply chain integrity at the registry layer
  • APAC organisations with data sovereignty requirements needing container images stored in APAC-controlled infrastructure
  • Platform engineering teams managing multi-team container image access with project isolation and CI/CD robot accounts
Don't get burned

Limitations to know

  • ! Harbor requires self-hosted infrastructure management — APAC teams should consider cloud-managed registries (ECR, GCR, ACR) for reduced operational overhead
  • ! Harbor high availability configuration (multiple replicas, external database, external Redis) requires platform engineering expertise to operate reliably
  • ! Harbor does not natively support multi-format artifacts (npm, Maven, Helm charts separately from OCI) — complement with Nexus or Artifactory for non-container artifacts
  • ! Trivy database update dependency — APAC air-gapped environments must manage Trivy vulnerability database synchronisation manually
Context

About Harbor

Harbor is a CNCF (Cloud Native Computing Foundation) graduated open-source container registry that provides APAC Kubernetes platform engineering teams with self-hosted private container image registry, integrated vulnerability scanning via Trivy, content trust (cryptographic image signing), robot account management, and project-based access control — enabling APAC organisations to operate enterprise-grade container registry infrastructure without commercial registry licensing.

Harbor's vulnerability scanning integration — which uses Trivy (also CNCF open-source) to scan container images stored in Harbor for known OS and application package CVEs, and supports configuring scan policies that prevent images with critical vulnerabilities from being pulled for deployment — provides APAC DevSecOps teams with automated container security validation at the registry layer. An APAC Kubernetes admission controller that requires images to be pulled from Harbor (rather than Docker Hub) can leverage Harbor's scan results to enforce that only scanned, compliant images reach APAC production clusters.

Harbor's content trust — which uses Notary v2 and Cosign for cryptographic container image signing, enabling APAC platform teams to verify that images pulled from Harbor were built by authorised CI/CD pipelines and have not been tampered with after signing — provides the supply chain integrity guarantee that APAC DevSecOps programmes require. An image signed by the CI/CD pipeline during build can be verified at deployment time; unsigned images can be rejected by Kubernetes admission controllers.

Harbor's project model — which organises container images into projects with separate access control (project-level push/pull permissions, robot account credentials for CI/CD automation, and user group access management) — enables APAC platform engineering teams to manage container image access for multiple product teams on a shared Harbor deployment. Product team A's images are isolated from product team B's images; CI/CD robot accounts have push access only to the specific project repositories they need to write.

Harbor's replication — which synchronises container images between Harbor instances (APAC multi-region deployments where each APAC data centre runs a local Harbor for build and deployment performance) or between Harbor and cloud registries (pushing images from Harbor to AWS ECR or GCR for cloud deployment) — enables APAC platform teams to maintain Harbor as the primary registry while replicating to cloud-native registries for APAC cloud deployments.

Beyond this tool

Where this category meets practice depth.

A tool only matters in context. Browse the service pillars that operationalise it, the industries where it ships, and the Asian markets where AIMenta runs adoption programs.

Or browse All tools · Encyclopedia · Case studies · Rankings