Skip to main content

Harbor (OSS Project)

Harbor is an open-source cloud native registry (container registry and artifact registry) that stores, signs, and scans container images and other OCI-compliant artifacts for enterprise environments (container security, software supply chain).

  • Private, role-based access controlled container and artifact registry for OCI images and related artifacts (container registry, identity and access).
  • Integrated vulnerability scanning and policy enforcement for images and artifacts (security scanning, compliance).
  • Image signing and verification using content trust workflows (software supply chain security).
  • Replication, proxying, and synchronization of artifacts across multiple registries and geographies (multi-registry management, DevOps).
  • Web UI, Representational State Transfer (REST) APIs, and integration with Kubernetes and other cloud native platforms (developer tooling, platform integration).

More About Harbor (OSS Project)

Harbor is an open-source cloud native registry that manages and secures container images and other Open Container Initiative (OCI) artifacts for enterprise and institutional environments. It addresses requirements around storing, controlling, and distributing container images with access control, compliance checks, and supply chain security features that extend beyond a basic container registry.

Harbor functions as a private registry (container registry) that supports OCI-compliant images and related artifacts. It organizes content into projects, supports multi-tenant scenarios, and provides Role-Based Access Control (RBAC) (identity and access) to restrict who can push, pull, or manage artifacts. It integrates with external identity providers through LDAP/AD and OpenID Connect (OIDC) (identity and access) to align with enterprise authentication practices, and supports user groups and project-level permissions.

Security capabilities are a core focus. Harbor integrates vulnerability scanning (security scanning) for container images and artifacts, enabling automatic scans on push and scheduled scans, with results surfaced through the user interface and APIs. Policy enforcement (compliance, governance) can block images with vulnerabilities above configured thresholds from being pulled or promoted. Harbor also implements content signing and verification using Notary-based content trust and OCI-based signing (software supply chain security), allowing only signed and verified images to be deployed according to policy.

Harbor supports replication and proxying (multi-registry management, DevOps) to synchronize artifacts across multiple Harbor instances or with external registries. It offers multiple replication topologies, including push- and pull-based modes, and can act as a proxy cache for upstream registries to reduce bandwidth usage and improve locality. These features support geographically distributed deployments and multi-cluster Kubernetes environments.

From an operational standpoint, Harbor exposes a REST Application Programming Interface (API) (developer tooling, integration) and a web-based management console for administration and self-service. It is designed to run on Kubernetes (cloud native infrastructure) and integrates with CNCF ecosystem components. Harbor supports pluggable scanners via an adapter framework (extensibility) so organizations can connect different vulnerability scanning engines, and it includes capabilities such as tag retention rules, quota management, and audit logging (governance, observability) to manage lifecycle and compliance for stored artifacts.

Enterprises typically place Harbor in the software delivery and container platform stack as the central artifact registry for Kubernetes clusters and Continuous Integration and Continuous Deployment (CI/CD) pipelines (DevOps, platform engineering). It acts as a Policy Enforcement Point (PEP) between build and runtime, enhancing control over which container images and artifacts are deployed to production. Within a technical taxonomy, Harbor is categorized as a cloud native container registry and artifact registry with integrated security, compliance, and multi-registry management features for OCI-based workloads.