Connecting Registries
Connect a registry so Vygl can discover your images, scan them for OS-package and dependency vulnerabilities, and keep watching them as new CVEs are disclosed. Five providers are supported: Harbor, AWS ECR, Google Artifact Registry, GitHub Container Registry (GHCR), and Docker Hub.
All five are scanned on a daily catch-up rescan. Harbor additionally supports webhook-driven scanning — newly pushed images are scanned within seconds. The other providers don’t deliver push webhooks to Vygl yet, so their images are picked up on the next nightly rescan.
- Open Settings → Registries and click Connect Registry.
- Pick your provider and give the connection a Display Name.
- Enter the Registry URL and the provider-specific credentials (below).
- Click Connect. Vygl tests the credentials against the registry and saves the connection only on success. (The “Test connection” button is a smoke check on the form fields — the real verification happens on Connect.)
- Pick the repositories to enable. Each enabled repo becomes a Vygl project automatically.
Harbor
Section titled “Harbor”| Field | Value |
|---|---|
| Registry URL | https://harbor.example.com |
| Username | Harbor robot account or user |
| Password | Matching password / token |
Harbor is the only provider with real-time, push-driven scanning. After you connect, Vygl shows a one-time webhook secret — copy it immediately, it is not shown again.
Webhook setup. In your Harbor project, add a webhook policy with:
| Harbor field | Value |
|---|---|
| Notify Endpoint URL | https://api.vygl.io/api/v1/registries/webhooks/harbor/<connection_id> (shown on the connection detail page) |
| Auth Header | Secret <the one-time secret> |
Vygl verifies the HMAC on every delivery, so pushed images are scanned within seconds. Without the webhook, pushes are still caught by the daily rescan.
AWS ECR
Section titled “AWS ECR”| Field | Value |
|---|---|
| Registry URL | 123456789012.dkr.ecr.us-east-1.amazonaws.com (account host, no https://) |
| AWS Access Key ID | AKIA… |
| AWS Secret Access Key | the matching secret |
| AWS Region | e.g. us-east-1 (must match the region in the URL) |
Create an IAM user with a read-only policy granting these actions:
ecr:DescribeRepositoriesecr:DescribeImagesecr:GetAuthorizationTokenecr:BatchGetImageecr:GetDownloadUrlForLayerECR images are picked up by the nightly rescan; there is no push webhook.
Google Artifact Registry
Section titled “Google Artifact Registry”| Field | Value |
|---|---|
| Registry URL | us-central1-docker.pkg.dev (region host — must match the Location below) |
| Service Account JSON | the full key file contents, pasted in |
| Location | the AR location, e.g. us-central1 |
| Project ID | your GCP project, e.g. my-gcp-project |
Create a service account and grant it roles/artifactregistry.reader on the project (or a finer-grained grant on each Artifact Registry repository). Download a JSON key for it and paste the entire file into the Service Account JSON field.
GAR images are picked up by the nightly rescan; there is no push webhook.
GitHub Container Registry (GHCR)
Section titled “GitHub Container Registry (GHCR)”| Field | Value |
|---|---|
| Registry URL | ghcr.io (always) |
| GitHub Username / Org | the package owner — your username, or an org name for org-owned packages |
| Personal Access Token | a classic PAT with the read:packages scope |
The username field doubles as the package owner Vygl enumerates: pass an org name to scan that org’s packages, or your username for personal packages. Generate the PAT at GitHub → Settings → Developer settings → Personal access tokens (classic) with only read:packages.
GHCR images are picked up by the nightly rescan; there is no push webhook.
Docker Hub
Section titled “Docker Hub”| Field | Value |
|---|---|
| Registry URL | docker.io (always) |
| Docker Hub Username | your Docker Hub account |
| Access Token (PAT) | dckr_pat_… |
| Namespace | (optional) an org/namespace you can read; defaults to your username |
Create the token at hub.docker.com → Account Settings → Security → New Access Token. The default Read scope is enough. Use the Namespace field to scan an organization’s repositories you have read access to.
Docker Hub images are picked up by the nightly rescan; there is no push webhook.
Scan cadence
Section titled “Scan cadence”| Trigger | When | Providers |
|---|---|---|
| Webhook | Within seconds of an image push | Harbor only |
| Daily catch-up rescan | 03:00 UTC, dispatches a fresh scan for the latest tag of every enabled repo whose nightly_rescan flag is on (default: on) | All providers |
The catch-up rescan re-scans even unchanged images, so a CVE disclosed today surfaces on tomorrow’s scan. Findings land in the connected repo’s project as container findings, alongside your SAST/SCA/secrets/IaC results.
Tag filtering
Section titled “Tag filtering”Per-repo tag_patterns (glob, default ["*"]) and exclude_tags fields exist on the connection model and are exposed in the API, but they are not yet enforced by the rescan or webhook handlers — every pushed/latest tag is scanned today. A user-facing tag filter is on the roadmap.