← Back to SkillsView on GitHub
container-registry-management
aj-geddes
Updated Today
22 views
7
7
Documentationai
About
This Claude Skill enables developers to manage container registries like Docker Hub, ECR, and GCR through a unified interface. It provides key capabilities including image scanning for vulnerabilities, automated retention policies, and granular access control. Use this skill for secure container image storage, compliance enforcement, and cost optimization across multi-region deployments.
Documentation
Container Registry Management
Overview
Implement comprehensive container registry management including image scanning, vulnerability detection, retention policies, access control, and multi-region replication.
When to Use
- Container image storage and distribution
- Security scanning and compliance
- Image retention and cleanup
- Registry access control
- Multi-region deployments
- Image signing and verification
- Cost optimization
Implementation Examples
1. AWS ECR Setup and Management
# ecr-setup.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: ecr-management
namespace: operations
data:
setup-ecr.sh: |
#!/bin/bash
set -euo pipefail
REGISTRY_NAME="myapp"
REGION="us-east-1"
ACCOUNT_ID="123456789012"
echo "Setting up ECR repository..."
# Create ECR repository
aws ecr create-repository \
--repository-name "$REGISTRY_NAME" \
--region "$REGION" \
--encryption-configuration encryptionType=KMS,kmsKey=arn:aws:kms:$REGION:$ACCOUNT_ID:key/12345678-1234-1234-1234-123456789012 \
--image-tag-mutability IMMUTABLE \
--image-scanning-configuration scanOnPush=true || true
echo "Repository: $ACCOUNT_ID.dkr.ecr.$REGION.amazonaws.com/$REGISTRY_NAME"
# Set lifecycle policy
aws ecr put-lifecycle-policy \
--repository-name "$REGISTRY_NAME" \
--region "$REGION" \
--lifecycle-policy-text '{
"rules": [
{
"rulePriority": 1,
"description": "Keep last 20 images tagged with release",
"selection": {
"tagStatus": "tagged",
"tagPrefixList": ["release"],
"countType": "imageCountMoreThan",
"countNumber": 20
},
"action": {
"type": "expire"
}
},
{
"rulePriority": 2,
"description": "Remove untagged images older than 7 days",
"selection": {
"tagStatus": "untagged",
"countType": "sinceImagePushed",
"countUnit": "days",
"countNumber": 7
},
"action": {
"type": "expire"
}
},
{
"rulePriority": 3,
"description": "Keep all development images for 30 days",
"selection": {
"tagStatus": "tagged",
"tagPrefixList": ["dev"],
"countType": "sinceImagePushed",
"countUnit": "days",
"countNumber": 30
},
"action": {
"type": "expire"
}
}
]
}'
# Enable cross-region replication
aws ecr create-registry \
--region "$REGION" \
--replication-configuration '{
"rules": [
{
"destinations": [
{
"region": "eu-west-1",
"registryId": "'$ACCOUNT_ID'"
},
{
"region": "ap-northeast-1",
"registryId": "'$ACCOUNT_ID'"
}
],
"repositoryFilters": [
{
"filter": "'$REGISTRY_NAME'",
"filterType": "PREFIX_MATCH"
}
]
}
]
}' || true
echo "ECR setup complete"
scan-images.sh: |
#!/bin/bash
set -euo pipefail
REGISTRY_NAME="myapp"
REGION="us-east-1"
echo "Scanning all images in $REGISTRY_NAME"
# Get all image IDs
IMAGE_IDS=$(aws ecr list-images \
--repository-name "$REGISTRY_NAME" \
--region "$REGION" \
--query 'imageIds[*]' \
--output json)
# Scan each image
echo "$IMAGE_IDS" | jq -r '.[] | @base64' | while read image; do
IMAGE=$(echo "$image" | base64 -d | jq -r '.imageTag')
DIGEST=$(echo "$image" | base64 -d | jq -r '.imageDigest')
echo "Scanning image: $IMAGE ($DIGEST)"
# Start scan
aws ecr start-image-scan \
--repository-name "$REGISTRY_NAME" \
--image-id imageTag="$IMAGE" \
--region "$REGION" || true
# Get scan results
sleep 5
RESULTS=$(aws ecr describe-image-scan-findings \
--repository-name "$REGISTRY_NAME" \
--image-id imageTag="$IMAGE" \
--region "$REGION")
CRITICAL=$(echo "$RESULTS" | jq '.imageScanFindings.findingSeverityCounts.CRITICAL // 0')
HIGH=$(echo "$RESULTS" | jq '.imageScanFindings.findingSeverityCounts.HIGH // 0')
if [ "$CRITICAL" -gt 0 ]; then
echo "WARNING: Image has $CRITICAL critical vulnerabilities"
fi
if [ "$HIGH" -gt 0 ]; then
echo "WARNING: Image has $HIGH high vulnerabilities"
fi
done
echo "Image scanning complete"
---
# Terraform ECR configuration
resource "aws_ecr_repository" "myapp" {
name = "myapp"
image_tag_mutability = "IMMUTABLE"
image_scanning_configuration {
scan_on_push = true
}
encryption_configuration {
encryption_type = "KMS"
kms_key = aws_kms_key.ecr.arn
}
tags = {
Name = "myapp-registry"
}
}
resource "aws_ecr_lifecycle_policy" "myapp" {
repository = aws_ecr_repository.myapp.name
policy = jsonencode({
rules = [
{
rulePriority = 1
description = "Keep last 20 production images"
selection = {
tagStatus = "tagged"
tagPrefixList = ["release"]
countType = "imageCountMoreThan"
countNumber = 20
}
action = {
type = "expire"
}
},
{
rulePriority = 2
description = "Remove untagged images after 7 days"
selection = {
tagStatus = "untagged"
countType = "sinceImagePushed"
countUnit = "days"
countNumber = 7
}
action = {
type = "expire"
}
}
]
})
}
resource "aws_ecr_repository_policy" "myapp" {
repository = aws_ecr_repository.myapp.name
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/EcsTaskExecutionRole"
}
Action = [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:GetImage"
]
}
]
})
}
2. Container Image Build and Push
#!/bin/bash
# build-and-push.sh - Build and push container images
set -euo pipefail
REGISTRY="${1:-123456789012.dkr.ecr.us-east-1.amazonaws.com}"
IMAGE_NAME="${2:-myapp}"
VERSION="${3:-latest}"
DOCKERFILE="${4:-Dockerfile}"
echo "Building and pushing container image..."
# Set full image path
FULL_IMAGE="$REGISTRY/$IMAGE_NAME:$VERSION"
# Login to ECR
echo "Authenticating to ECR..."
aws ecr get-login-password --region us-east-1 | \
docker login --username AWS --password-stdin "$REGISTRY"
# Build image
echo "Building image: $FULL_IMAGE"
docker build \
-f "$DOCKERFILE" \
-t "$FULL_IMAGE" \
-t "$REGISTRY/$IMAGE_NAME:latest" \
--build-arg BUILD_DATE="$(date -u +'%Y-%m-%dT%H:%M:%SZ')" \
--build-arg VCS_REF="$(git rev-parse --short HEAD)" \
--build-arg VERSION="$VERSION" \
.
# Scan with trivy before push
echo "Scanning image with Trivy..."
trivy image --severity HIGH,CRITICAL "$FULL_IMAGE"
# Push image
echo "Pushing image to ECR..."
docker push "$FULL_IMAGE"
docker push "$REGISTRY/$IMAGE_NAME:latest"
# Get image digest
DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' "$FULL_IMAGE" | cut -d@ -f2)
echo "Image pushed successfully"
echo "Image: $FULL_IMAGE"
echo "Digest: $DIGEST"
3. Image Signing with Notary
#!/bin/bash
# sign-image.sh - Sign container images with Notary
set -euo pipefail
IMAGE="${1}"
NOTATION_KEY="${2:-mykey}"
echo "Signing image: $IMAGE"
# Initialize Notary
notary key list
# Sign image
notation sign \
--key "$NOTATION_KEY" \
--allow-missing \
"$IMAGE"
echo "Image signed successfully"
# Verify signature
notation verify "$IMAGE"
4. Registry Access Control
# registry-access-control.yaml
apiVersion: v1
kind: Secret
metadata:
name: ecr-pull-secret
namespace: production
type: kubernetes.io/dockercfg
stringData:
.dockercfg: |
{
"123456789012.dkr.ecr.us-east-1.amazonaws.com": {
"auth": "base64-encoded-credentials",
"email": "[email protected]"
}
}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: ecr-pull-sa
namespace: production
imagePullSecrets:
- name: ecr-pull-secret
---
apiVersion: v1
kind: Pod
metadata:
name: myapp
namespace: production
spec:
serviceAccountName: ecr-pull-sa
containers:
- name: app
image: 123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:latest
imagePullPolicy: Always
---
# IAM policy for ECR access
apiVersion: iam.aws.amazon.com/v1
kind: IAMPolicy
metadata:
name: ecr-read-only
spec:
policyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- ecr:GetDownloadUrlForLayer
- ecr:BatchGetImage
- ecr:GetImage
- ecr:DescribeImages
Resource: arn:aws:ecr:*:123456789012:repository/myapp
- Effect: Allow
Action:
- ecr:GetAuthorizationToken
Resource: '*'
5. Registry Monitoring
# registry-monitoring.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: registry-monitoring
namespace: monitoring
data:
dashboards.json: |
{
"dashboard": {
"title": "Container Registry",
"panels": [
{
"title": "Images by Repository",
"targets": [
{
"expr": "count by (repository) (aws_ecr_repository_images)"
}
]
},
{
"title": "Images with Vulnerabilities",
"targets": [
{
"expr": "sum(aws_ecr_image_scan_findings{severity=~\"HIGH|CRITICAL\"})"
}
]
},
{
"title": "Registry Storage",
"targets": [
{
"expr": "aws_ecr_repository_size_bytes"
}
]
}
]
}
}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: registry-alerts
namespace: monitoring
data:
alerts.yaml: |
groups:
- name: registry_alerts
rules:
- alert: ImageWithCriticalVulnerabilities
expr: aws_ecr_image_scan_findings{severity="CRITICAL"} > 0
for: 5m
labels:
severity: critical
annotations:
summary: "Image has critical vulnerabilities"
- alert: ImagePushFailure
expr: aws_ecr_push_failures_total > 0
for: 1m
labels:
severity: warning
annotations:
summary: "Image push failed"
- alert: RegistryStorageHigh
expr: aws_ecr_repository_size_bytes / 1024 / 1024 / 1024 > 100
labels:
severity: warning
annotations:
summary: "Registry storage usage is high"
Best Practices
✅ DO
- Scan images before deployment
- Use image tag immutability
- Implement retention policies
- Control registry access with IAM
- Sign images for verification
- Replicate across regions
- Monitor registry storage
- Use private registries
❌ DON'T
- Push to public registries
- Use
latesttag in production - Allow anonymous pulls
- Store secrets in images
- Keep old images indefinitely
- Push without scanning
- Use default credentials
- Share registry credentials
Registry Options
- Docker Hub: Public registry
- AWS ECR: AWS-managed
- Google GCR: Google Cloud
- Azure ACR: Azure-managed
- Artifactory: Self-hosted
- Harbor: Open-source
Image Naming Convention
[registry]/[organization]/[repository]:[tag]
123456789012.dkr.ecr.us-east-1.amazonaws.com/myapp:v1.2.3
Resources
Quick Install
/plugin add https://github.com/aj-geddes/useful-ai-prompts/tree/main/container-registry-managementCopy and paste this command in Claude Code to install this skill
GitHub 仓库
aj-geddes/useful-ai-prompts
Path: skills/container-registry-management
Related Skills
sglang
MetaSGLang is a high-performance LLM serving framework that specializes in fast, structured generation for JSON, regex, and agentic workflows using its RadixAttention prefix caching. It delivers significantly faster inference, especially for tasks with repeated prefixes, making it ideal for complex, structured outputs and multi-turn conversations. Choose SGLang over alternatives like vLLM when you need constrained decoding or are building applications with extensive prefix sharing.
View skill
evaluating-llms-harness
TestingThis Claude Skill runs the lm-evaluation-harness to benchmark LLMs across 60+ standardized academic tasks like MMLU and GSM8K. It's designed for developers to compare model quality, track training progress, or report academic results. The tool supports various backends including HuggingFace and vLLM models.
View skill
llamaguard
OtherLlamaGuard is Meta's 7-8B parameter model for moderating LLM inputs and outputs across six safety categories like violence and hate speech. It offers 94-95% accuracy and can be deployed using vLLM, Hugging Face, or Amazon SageMaker. Use this skill to easily integrate content filtering and safety guardrails into your AI applications.
View skill
langchain
MetaLangChain is a framework for building LLM applications using agents, chains, and RAG pipelines. It supports multiple LLM providers, offers 500+ integrations, and includes features like tool calling and memory management. Use it for rapid prototyping and deploying production systems like chatbots, autonomous agents, and question-answering services.
View skill