// the find
goharbor/harbor
An open source trusted cloud native registry project that stores, signs, and scans content.
Harbor is a CNCF-graduated private container registry that adds auth, RBAC, vulnerability scanning, image signing, and policy-based replication on top of the OCI Distribution Spec. It targets organizations that need to run their own registry — teams that can't or won't push images to Docker Hub or a cloud provider's registry. Mature project: active since 2016, 28k stars, used by major enterprises.
Full OCI conformance with proven compatibility across Docker, Helm charts, WASM, CNAB, and SBOM artifact types. Policy-based replication is genuinely useful — filter by repo/tag/label, replicate to multiple targets, automatic retry on failure. Trivy integration for vulnerability scanning is built-in, not bolted on, and you can block deployments of images with CVEs above a threshold. Cosign-based release signing since v2.15.0 means you can verify the installer artifacts you're running, which matters for a security-critical component.
The operational footprint is heavy: nginx, core, jobservice, registry, registryctl, trivy-adapter, portal, exporter, Redis/Valkey, and PostgreSQL — nine moving parts just to get started. The prepare tool is a Python script that generates config from a YAML template, which is a fragile layer that has historically been the source of upgrade pain. Garbage collection is a blocking operation that takes the registry offline if run naively, and the docs undersell how disruptive this is on large instances. LDAP sync is one-directional and polling-based; if you remove a user from AD, Harbor doesn't find out until the next scheduled sync runs.