← Back to Docker Mastery
Intermediate12 min read

Registry & Distribution

Store, tag, and distribute Docker images through Docker Hub, private registries, and secure image management workflows.

Docker Hub

Docker Hub is the default public registry. Push images with docker push after tagging with your Docker Hub username. Pull public images with docker pull. Organize images into repositories with tags for versioning.

Use official images (nginx, postgres, node) as base images — they are maintained, scanned, and regularly updated by Docker and upstream maintainers.

  • Official images have no username prefix: nginx:alpine
  • Docker Hub free tier includes one private repository
  • Enable 2FA on Docker Hub for account security
docker login
docker tag myapp:latest username/myapp:1.0.0
docker push username/myapp:1.0.0
docker pull username/myapp:1.0.0

Image Tagging Strategy

Tags identify image versions. Use semantic versioning (1.0.0, 1.0, 1) for releases. Never use latest in production — it is mutable and unpredictable. Tag with git SHA for traceability.

A good tagging strategy: myapp:1.2.3 (exact version), myapp:1.2 (patch updates), myapp:sha-abc1234 (git commit). Production deploys pin to exact version or SHA.

docker build -t myapp:1.2.3 .
docker tag myapp:1.2.3 myapp:1.2
docker tag myapp:1.2.3 myapp:1
docker tag myapp:1.2.3 registry.example.com/myapp:1.2.3

Private Registries

Run a private registry with the registry:2 image for on-premise storage. Cloud providers offer managed registries: ECR (AWS), GCR/Artifact Registry (Google), ACR (Azure), and GitHub Container Registry (ghcr.io).

Private registries require authentication. Configure credentials with docker login or credential helpers. CI/CD pipelines use service account tokens or OIDC for passwordless authentication.

# Run local registry
docker run -d -p 5000:5000 --name registry registry:2

# Push to local registry
docker tag myapp:latest localhost:5000/myapp:latest
docker push localhost:5000/myapp:latest

# GitHub Container Registry
docker push ghcr.io/org/myapp:1.0.0

Image Scanning

Scan images for known vulnerabilities before deployment. Docker Scout integrates with Docker Desktop and Hub. Trivy is a popular open-source scanner usable in CI pipelines.

Establish a policy: block deployment of images with critical CVEs. Regularly rebuild images to pick up patched base layers.

# Docker Scout
docker scout cves myapp:latest

# Trivy
trivy image myapp:latest
trivy image --severity CRITICAL,HIGH myapp:latest

Distribution Best Practices

Use multi-stage builds to minimize image size for faster pulls. Pin base image digests for reproducibility. Sign images with Docker Content Trust or cosign for supply chain security.

Cache images in CI runners to avoid pulling on every build. Use a pull-through cache registry for teams to reduce Hub rate limits and improve pull speed.

# Pin by digest for reproducible builds
FROM node:20-alpine@sha256:abc123...

# Sign with cosign
cosign sign --key cosign.key myapp:1.0.0

Get In Touch

Ready to discuss your next project? Drop me a message.