Skip to main content

Harbor

Harbor is an open-source cloud-native container image registry and artifact management platform (container registry/security) that provides Role-Based Access Control (RBAC), policy-based image replication, vulnerability scanning, and content signing for enterprise container and OCI artifact workflows.

  • Private container and OCI artifact registry with namespace, project, and RBAC (container registry, identity and access)
  • Image vulnerability scanning and security policy enforcement for stored artifacts (container security, vulnerability management)
  • Image signing and verification using Notary and cosign for content trust (software supply chain security)
  • Replication of images and artifacts across multiple registries and Harbor instances (multi-registry management, hybrid/multi-cloud)
  • API-driven integration with Continuous Integration and Continuous Deployment (CI/CD) pipelines and Kubernetes platforms (DevOps toolchain integration)

More About Harbor

Harbor is an open-source cloud-native registry project (container registry) that manages and secures container images and other OCI-compliant artifacts for enterprise and institutional environments. It addresses requirements around private image hosting, access control, compliance, and supply chain security that arise when organizations move containerized workloads into production and across multiple clusters or cloud providers.

At its core, Harbor provides a private container and artifact registry (container registry) that supports Docker and OCI-compatible images and related artifact types. It organizes content into projects and namespaces, with configurable RBAC (identity and access) that maps to enterprise user and group models via LDAP/AD or OIDC-based Single Sign-On (SSO), depending on deployment configuration. This structure allows teams to segment content, restrict access, and enforce Separation of Duties (SoD) within a shared registry service.

Harbor incorporates image vulnerability scanning (vulnerability management) by integrating with pluggable scanning engines exposed through a standard scanner Application Programming Interface (API). Organizations can configure scanners and policies so that images are scanned on push or on a schedule, and they can enforce rules such as preventing the pulling of images with certain vulnerability severities. These capabilities support security and compliance workflows, where registries act as control points for what software is permitted into build and deployment pipelines.

To address software supply chain integrity, Harbor supports content signing and verification (supply chain security) for images using Notary (implementing Docker Content Trust) and cosign-based signatures for OCI artifacts, subject to configuration. Administrators can define policies that require trusted signatures before images are pulled or promoted between projects or environments. Combined with access control and scanning, this provides multiple checkpoints across the artifact lifecycle.

Harbor also supports replication (multi-registry management) of images and artifacts between Harbor instances and external registries, including cloud provider registries and other OCI-compliant registries, according to outbound or inbound replication rules. This allows organizations to synchronize content across on-premises (on-prem) and cloud environments, implement regional mirrors, or stage content closer to deployment clusters while maintaining a consistent set of approved artifacts.

From an operational standpoint, Harbor exposes Representational State Transfer (REST) APIs (DevOps toolchain integration) and supports integration into CI/CD systems that push, scan, sign, and promote images as part of automated pipelines. It is typically deployed on Kubernetes (container orchestration) using Helm charts or manifests, and it uses components such as a registry service, database, job service, and optional cache and proxy layers. Harbor is a graduated project within the Cloud Native Computing Foundation (CNCF), and in an enterprise technology directory it fits under container registries, vulnerability and policy control points, and software supply chain security tooling within cloud-native platform architectures.