Skip to content

Connecting Registries

Connect a registry so Vygl can discover your images, scan them for OS-package and dependency vulnerabilities, and keep watching them as new CVEs are disclosed. Five providers are supported: Harbor, AWS ECR, Google Artifact Registry, GitHub Container Registry (GHCR), and Docker Hub.

All five are scanned on a daily catch-up rescan. Harbor additionally supports webhook-driven scanning — newly pushed images are scanned within seconds. The other providers don’t deliver push webhooks to Vygl yet, so their images are picked up on the next nightly rescan.

  1. Open Settings → Registries and click Connect Registry.
  2. Pick your provider and give the connection a Display Name.
  3. Enter the Registry URL and the provider-specific credentials (below).
  4. Click Connect. Vygl tests the credentials against the registry and saves the connection only on success. (The “Test connection” button is a smoke check on the form fields — the real verification happens on Connect.)
  5. Pick the repositories to enable. Each enabled repo becomes a Vygl project automatically.
FieldValue
Registry URLhttps://harbor.example.com
UsernameHarbor robot account or user
PasswordMatching password / token

Harbor is the only provider with real-time, push-driven scanning. After you connect, Vygl shows a one-time webhook secret — copy it immediately, it is not shown again.

Webhook setup. In your Harbor project, add a webhook policy with:

Harbor fieldValue
Notify Endpoint URLhttps://api.vygl.io/api/v1/registries/webhooks/harbor/<connection_id> (shown on the connection detail page)
Auth HeaderSecret <the one-time secret>

Vygl verifies the HMAC on every delivery, so pushed images are scanned within seconds. Without the webhook, pushes are still caught by the daily rescan.

FieldValue
Registry URL123456789012.dkr.ecr.us-east-1.amazonaws.com (account host, no https://)
AWS Access Key IDAKIA…
AWS Secret Access Keythe matching secret
AWS Regione.g. us-east-1 (must match the region in the URL)

Create an IAM user with a read-only policy granting these actions:

ecr:DescribeRepositories
ecr:DescribeImages
ecr:GetAuthorizationToken
ecr:BatchGetImage
ecr:GetDownloadUrlForLayer

ECR images are picked up by the nightly rescan; there is no push webhook.

FieldValue
Registry URLus-central1-docker.pkg.dev (region host — must match the Location below)
Service Account JSONthe full key file contents, pasted in
Locationthe AR location, e.g. us-central1
Project IDyour GCP project, e.g. my-gcp-project

Create a service account and grant it roles/artifactregistry.reader on the project (or a finer-grained grant on each Artifact Registry repository). Download a JSON key for it and paste the entire file into the Service Account JSON field.

GAR images are picked up by the nightly rescan; there is no push webhook.

FieldValue
Registry URLghcr.io (always)
GitHub Username / Orgthe package owner — your username, or an org name for org-owned packages
Personal Access Tokena classic PAT with the read:packages scope

The username field doubles as the package owner Vygl enumerates: pass an org name to scan that org’s packages, or your username for personal packages. Generate the PAT at GitHub → Settings → Developer settings → Personal access tokens (classic) with only read:packages.

GHCR images are picked up by the nightly rescan; there is no push webhook.

FieldValue
Registry URLdocker.io (always)
Docker Hub Usernameyour Docker Hub account
Access Token (PAT)dckr_pat_…
Namespace(optional) an org/namespace you can read; defaults to your username

Create the token at hub.docker.com → Account Settings → Security → New Access Token. The default Read scope is enough. Use the Namespace field to scan an organization’s repositories you have read access to.

Docker Hub images are picked up by the nightly rescan; there is no push webhook.

TriggerWhenProviders
WebhookWithin seconds of an image pushHarbor only
Daily catch-up rescan03:00 UTC, dispatches a fresh scan for the latest tag of every enabled repo whose nightly_rescan flag is on (default: on)All providers

The catch-up rescan re-scans even unchanged images, so a CVE disclosed today surfaces on tomorrow’s scan. Findings land in the connected repo’s project as container findings, alongside your SAST/SCA/secrets/IaC results.

Per-repo tag_patterns (glob, default ["*"]) and exclude_tags fields exist on the connection model and are exposed in the API, but they are not yet enforced by the rescan or webhook handlers — every pushed/latest tag is scanned today. A user-facing tag filter is on the roadmap.