Connecting Registries
Connect a registry to discover existing images, scan them, and watch for new vulnerabilities over time. Each registry uses provider-native authentication; only Harbor supports webhook-driven real-time scanning today, the others use a nightly rescan job.
- Open Settings → Registries and click Add Registry.
- Pick the provider (Docker Hub, ECR, GCR, or Harbor).
- Provide credentials (see provider tabs below).
- Click Test connection — Vygl verifies the credentials and lists the repositories it can see.
- Pick repositories to enable. Each becomes a Vygl project automatically.
Per-provider credentials
Section titled “Per-provider credentials”| Field | Value |
|---|---|
| Username | Your Docker Hub username |
| Password | Personal access token (recommended) or password |
Docker Hub has strict anonymous-pull rate limits — always provide credentials, even for public images you “could” pull anonymously.
Webhook support: No. Images are scanned on the nightly rescan job (03:00 UTC).
| Field | Value |
|---|---|
| Access key ID | AWS IAM user / role access key |
| Secret access key | Matching secret |
| Region | e.g. us-east-1 |
The IAM identity needs ecr:GetAuthorizationToken, ecr:BatchGetImage, ecr:DescribeImages, ecr:DescribeRepositories, and ecr:GetDownloadUrlForLayer.
Webhook support: No. ECR Registry events aren’t currently consumed; scans run nightly.
| Field | Value |
|---|---|
| Service account JSON | Upload the JSON keyfile |
The service account needs roles/artifactregistry.reader (or roles/storage.objectViewer for legacy GCR).
Webhook support: No. Scans run nightly.
| Field | Value |
|---|---|
| Harbor URL | https://harbor.example.com |
| Username | Harbor robot account or user |
| Password | Matching password / token |
Webhook support: Yes — the only registry with real-time push events. Configure a webhook in your Harbor project pointing at the URL Vygl shows you on the registry detail page; Vygl verifies HMAC on every event. Newly pushed images are scanned within seconds.
Scan cadence
Section titled “Scan cadence”| Registry | Real-time | Nightly rescan |
|---|---|---|
| Docker Hub | — | 03:00 UTC |
| AWS ECR | — | 03:00 UTC |
| Google GCR | — | 03:00 UTC |
| Harbor | Webhook on push | 03:00 UTC (catch-up) |
The nightly rescan picks up the latest tag for each enabled repository (or all tags matching a tag_filter_regex). It also re-evaluates existing scans against the latest OSV data — so a CVE disclosed today appears on tomorrow’s scan even if the image hasn’t changed.
Tag filtering
Section titled “Tag filtering”Each repository can specify a tag filter regex (for example ^v\d+\.\d+\.\d+$ to scan only semver tags). Without a filter, every tag is scanned.