Overview
Release 1.9.0 brings Private Container Registry Scanning — the most requested feature from our enterprise customers. Building on the container scanning introduced in 1.8.5, you can now scan private container images for vulnerabilities directly from VersionOps, without exposing credentials to CI/CD pipelines or deploying additional scanning agents.
The Problem
Until now, Trivy scanning in VersionOps worked only with public container images. If your images lived in a private AWS ECR, GitLab Registry, or Harbor instance, you had two options: set up Trivy separately in your CI/CD pipeline, or skip container scanning entirely. Both meant missing out on centralized vulnerability tracking, trend analysis, and automated alerts.
How It Works
VersionOps now stores your registry credentials securely (encrypted at rest with AES-256) and automatically applies them when scanning private images. No new agents, no complex setup — just add your registry credentials once and scan.
Supported Registries
| Registry | Auth Method | Setup |
|---|---|---|
| Docker Hub | Username + Password | Enter your Docker Hub credentials |
| AWS ECR | Access Key + Secret | VersionOps auto-refreshes temporary tokens |
| Google Artifact Registry | Service Account JSON | Upload your GCP service account key |
| Azure Container Registry | Service Principal | Enter tenant, client ID, and secret |
| GitHub GHCR | Personal Access Token | Use a PAT with read:packages scope |
| GitLab Registry | Username + Token | Use a deploy token or PAT |
| Harbor / JFrog / Nexus / Quay | Username + Password | Standard Docker V2 authentication |
| Any Docker V2 registry | Username + Password or Token | Works with any compatible registry |
Quick Start
- Go to Security > Registries tab
- Click Add Registry and select your provider
- Fill in your credentials and click Test Connection
- Save — you're ready to scan private images
The provider presets auto-fill the registry URL and show only the fields you need. For AWS ECR, just enter your access key, secret, and region — VersionOps handles the temporary token refresh automatically.
Automatic Credential Resolution
When you scan a container image, VersionOps automatically matches the image URL against your configured registries and applies the right credentials. This works for both manual scans and scheduled auto-scans — no extra configuration needed.
For example, if you add credentials for 123456789.dkr.ecr.us-east-1.amazonaws.com, any image from that registry will automatically use those credentials during scanning.
Cloud-Native Token Management
For cloud-managed registries (AWS ECR, GCP Artifact Registry, Azure ACR), credentials are short-lived tokens that expire regularly. VersionOps handles this automatically:
- AWS ECR: Tokens refreshed every 12 hours
- GCP: OAuth tokens refreshed every hour
- Azure ACR: AAD tokens refreshed every hour
You provide your cloud credentials once, and VersionOps manages the token lifecycle.
Security
Registry credentials are treated with the same care as notification channel secrets:
- Encrypted at rest using Fernet (AES-256) encryption
- Masked in API responses — you'll never see raw credentials in the UI or API
- Audit logged — every create, update, delete, and connection test is recorded
- SSRF protected — connection tests block requests to internal networks and cloud metadata endpoints
Getting Started
Step 1: Add a Registry
Navigate to Security > Registries and click Add Registry. Choose your provider from the preset list.
Step 2: Configure Credentials
Fill in the required fields. For most registries, this is just a username and password or token. For cloud providers, enter your cloud credentials.
Step 3: Test the Connection
Click Test Connection to verify your credentials work. VersionOps will attempt to authenticate against the registry's Docker V2 API.
Step 4: Scan Your Images
Go to Security > Container Images, add your private image references, and click Scan. VersionOps will automatically use the matching registry credentials.
Step 5: Enable Auto-Scan
Turn on auto-scanning for your private images to get continuous vulnerability monitoring with configurable scan intervals (1-168 hours).
What's Next
We're working on:
- OIDC federation — connect to AWS ECR and GCP without static credentials
- Registry auto-discovery — automatically detect registries from your Kubernetes clusters
- Image tag monitoring — get alerted when new tags are pushed to tracked repositories