Container Registry

Hanzo Registry

Container registry with IAM-token auth. Push, pull, and sign OCI images without rotating long-lived registry passwords.

Push an Image View Source
$ hanzo login registry.hanzo.ai
# IAM token minted, valid 1h
$ docker push registry.hanzo.ai/acme/api:v1.2.3

Built on Hanzo IAM

Identity-aware container delivery with no static credentials to leak

IAM Token Auth

Short-lived OIDC tokens from Hanzo IAM gate every push and pull. No registry passwords to rotate or revoke.

Org-Scoped Repos

Every repository belongs to an org. RBAC follows IAM groups, so onboarding a teammate is one IAM grant away.

Cosign + Attestation

Native sigstore signing and SLSA attestations. Verify provenance before any image runs.

OCI Compliant

Standard OCI v1.1 distribution and image specs. Works with docker, podman, buildkit, skopeo, crane.

Pull-Through Cache

Mirror upstream registries (Docker Hub, GHCR, GAR) with on-demand caching. Predictable bandwidth, no rate limits.

Edge Replication

Layers replicate to every Hanzo region. Pulls hit the nearest cache for fast cluster bootstraps.

No More Static Registry Creds

Replace dockerconfigjson secrets with IAM-issued tokens. Audit every push, expire every credential.

Quickstart About IAM

Get started with Registry

Read the docs View on GitHub

Open source

License: Apache-2.0hanzoai/registry

Get Registry

OCI image registry

Deploy to CloudSelf-host