Configure registries
This guide covers the configuration options available for your Harness Artifact Registry, including security scanning, policy enforcement, artifact filtering rules, and upstream proxy settings.
Before you begin
- Harness account with Artifact Registry enabled.
- Registry created: Go to Create a registry to set up your first registry.
Access registry configuration
To change your registry settings, go to the registry and select Configuration.
From the configuration page you can:
- Change your registry Description.
- Add a label under Labels.
- Manage configuration options relative to your registry type such as setting a security scanner for Docker registries.
- Manage Advanced settings which includes setting an upstream proxy.
Security
Built-in container scanners
This feature is only available for Docker and Helm registries.
When the Harness Supply Chain Security module is enabled, artifacts in the Harness Artifact Registry are automatically scanned using AquaTrivy, the currently supported scanner. Built-in container scanning creates a pipeline to ensure every artifact is scanned upon entry. Additional scanner options will be introduced in the future.
Policy sets
This feature is only available for Docker and Helm registries.
Policy sets allow you to define a collection of rules that automatically evaluate and take action on your artifacts. In Artifact Registry, these rules are evaluated as part of the scan pipeline that is triggered automatically when artifacts are ingested. You can add multiple policy sets to a registry for comprehensive protection; for vulnerability enforcement in this context, the policy set must be a Security Tests policy set.
Based on the vulnerabilities detected by the built-in container scanner, you can create a Security Tests policy set to automatically quarantine or block artifacts based on the severity of vulnerabilities found.
When an artifact violates a policy, it can be automatically quarantined to prevent it from being used in pipelines or downloaded by users. Go to Artifact quarantine to manage quarantined artifacts.
Artifact filtering rules
Use these rules to establish which artifacts are allowed or blocked entry into your registry.
Allowed patterns
In Allowed Patterns, use a regex string to define which artifacts are allowed into the registry. The regex matches against each incoming artifact and, if the match is successful, allows the push operation.
In Blocked Patterns, use a regex string to define which artifacts are blocked from the registry. The regex matches against each incoming artifact and, if the match is successful, disallows the push operation.
Example:
If you want to set a registry to store only prod artifacts and block all dev artifacts:
- Set the Allowed Patterns regex to
.*-prod. - Set the Blocked Patterns regex to
dev-.*.
This allows any artifact that ends with -prod and blocks any artifact that starts with dev-.
Advanced settings
Set proxy for registry
You can configure your artifact registry to fetch artifacts from public upstream registries as well as other configured artifact registries. Harness supports two types of proxy configurations:
- Upstream Proxy: Connect to external registries (for example, Docker Hub, Maven Central). Go to Create an upstream proxy to set one up.
- Artifact Registry: Aggregate multiple Harness artifact registries within your account into a single access point.
Configure proxy settings
To set up either an upstream proxy or aggregate multiple registries into a single access point:
- In your registry, select Configuration.
- Open the Advanced (Optional) dropdown menu.
- Select Configure Upstream.
- Under Available upstream proxies, you will see a list that includes:
- Upstream proxy (indicated by a proxy icon)
- Artifact Registry (indicated by a registry icon)
- Select the proxies you want to use. You can select multiple proxies of either type.
- Under Selected proxies, arrange the order of proxies. When the registry receives a request, it queries the proxies in order from top to bottom.
In the example above, the registry has three selected proxies. When the registry receives a request, it queries the base registry first, then docker-up-15, followed by the two local registries in order.
When a registry receives a request, it checks the local (base) registry first. If the package exists locally, that version is returned and the upstream proxy is not queried. This means a locally published version can shadow newer versions available upstream. To avoid this, do not publish the same package to both a local registry and an upstream proxy that caches the same scope.
- Select Save in the top right corner.
The feature to add Artifact Registry to the Upstream Proxy list is currently behind the feature flag HAR_SUPPORT_LOCAL_REGISTRY_AS_UPSTREAM_PROXY. Contact Harness Support to enable it.
If you are adding an Artifact Registry to the Upstream Proxy list, ensure that there are no upstream proxies configured within your artifact registry.
Enable dependency firewall
This feature is behind the feature flag HAR_DEPENDENCY_FIREWALL. Contact Harness Support to enable it.
For upstream proxy registries, you can enable Dependency Firewall to control and secure artifacts fetched from external sources. When enabled, Dependency Firewall acts as a gatekeeper that evaluates every artifact version against configured security policies before allowing it to be cached in your registry.
To enable Dependency Firewall:
- In your upstream proxy registry, select Configuration.
- Open the Advanced (Optional) dropdown menu.
- Under Dependency Firewall Configuration, select Enable Dependency Firewall.
- Optionally, select Quarantine artifacts on 'Warn and Continue' fail criteria to also quarantine artifacts whose policy verdict is Warning (in addition to artifacts whose verdict is Blocked). Go to How the quarantine checkbox behaves to understand the full behavior.
- Select Save to apply the changes.
Once enabled, every artifact fetched from external sources through this upstream proxy is evaluated against the policy sets that apply to it. Each policy in the set carries its own fail action, either Error and exit or Warn & continue, chosen when the policy set is authored.
How the quarantine checkbox behaves
Blocked artifacts (a policy with Error and exit failed) are not cached. They require an exemption to consume.
Warning artifacts (a policy with Warn & continue failed) behave one of two ways:
- Checkbox cleared (default): the artifact is cached and remains usable; the violation only shows up on the Dependency Firewall dashboard.
- Checkbox selected: the artifact is cached but quarantined. It remains blocked until someone manually unquarantines it. Exemptions do not unblock quarantined packages.
Select the checkbox when you want a stricter posture without changing every individual policy from Warn & continue to Error and exit.
Go to Dependency Firewall to learn how it works and view violations. Go to Configure Policies and Policy Sets to configure the per-policy fail action.
Cleanup policies
Cleanup policies for artifact registries are coming soon.
Registry metadata
Enhance your registry organization and searchability by adding custom metadata. Metadata allows you to attach key-value pairs to your registries, making it easier to categorize, filter, and manage them based on your organization's specific needs.
You can add metadata such as owner information, environment tags, team assignments, or any custom attributes that help you organize your registries effectively.
Go to Artifact Registry Metadata to add and manage metadata at the registry, artifact, and package levels.
Next steps
- Create a registry: Set up new registries in your project.
- Create an upstream proxy: Connect to external registries like Docker Hub.
- Dependency Firewall: Configure policies to control artifact ingestion.
- Artifact management: Manage artifacts including quarantine and deletion.