█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/DevOps and Infrastructure/Docker and Containerization/Docker Hub and Image Registries
35 minIntermediate

Docker Hub and Image Registries

After this lesson, you will be able to: Push and pull images from Docker Hub, GitHub Container Registry (GHCR), and private registries. Tag images correctly.

Built images live somewhere. Registries are how teams share them and how deploys reach them. This lesson covers the most common ones.

Prerequisites:Docker Volumes

The three registries you'll see

Docker Hub (hub.docker.com): the default. Public images are free; private images require a paid plan. Pull rate limits on anonymous pulls. GitHub Container Registry (ghcr.io): integrated with GitHub. Free for public + private (within GitHub Actions). Common for OSS and modern teams. Cloud registries: AWS ECR, Google Artifact Registry, Azure ACR. Used when deploying to the same cloud (lower latency, IAM integration). Self-hosted: Harbor, Distribution Registry (the official one). For air-gapped or strict-compliance shops.

Push to Docker Hub

After signing up at hub.docker.com.

tsx
# Log in
docker login
# Username: your-hub-username
# Password: <use a personal access token, not your real password>
# Tag and push
docker tag myapp:1.0 your-hub-username/myapp:1.0
docker push your-hub-username/myapp:1.0
# Tag for 'latest' if you want
docker tag myapp:1.0 your-hub-username/myapp:latest
docker push your-hub-username/myapp:latest
# Now anyone can:
docker pull your-hub-username/myapp:1.0

Push to GHCR (GitHub Container Registry)

Tightly integrated with GitHub repos.

tsx
# Create a Personal Access Token (PAT) at github.com/settings/tokens
# Permissions needed: read:packages, write:packages, delete:packages
echo $GHCR_PAT | docker login ghcr.io -u your-github-username --password-stdin
# Tag and push (note the format: ghcr.io/<owner>/<image>:<tag>)
docker tag myapp:1.0 ghcr.io/your-github-username/myapp:1.0
docker push ghcr.io/your-github-username/myapp:1.0
# In GitHub Actions (free tier):
# - uses: docker/login-action@v3
# with:
# registry: ghcr.io
# username: ${{ github.actor }}
# password: ${{ secrets.GITHUB_TOKEN }}

Tagging strategy that doesn't bite you

NEVER use `:latest` in production. Reproducibility lost. Use semantic versions: `myapp:1.4.2`. Use git SHAs: `myapp:a1b2c3d`. CI tags every image with the build SHA; deploy that SHA. Use environment labels carefully: `myapp:staging` is fine as a moving pointer, but the underlying SHA is what truly identifies the build. Combo: tag both `myapp:a1b2c3d` AND `myapp:staging` when deploying to staging.

💡 Security scanning your images

Tools: Trivy, Snyk, Docker Scout. Most run as a single command. `trivy image myapp:1.0` scans for known CVEs in the base image + installed packages. GitHub Actions can scan on every PR. Block the deploy if Critical CVEs appear. Scanning catches outdated base images (you forgot to update node:20-alpine for 4 months and now there's a CVE).

Common mistakes only experienced engineers avoid

Pushing images with hardcoded secrets (env vars set at build time leak through layer inspection). Use runtime env vars. Forgetting `docker login` then debugging 'unauthorized' for an hour. Pushing 5GB images. Multi-stage builds + alpine bases keep them small. Storing PATs in plaintext. Use git-credential-helper or pass via stdin (as above). Anonymous Docker Hub pulls in CI/CD. The rate limit catches you mid-deploy.

Quick Check

Which tag strategy supports clean rollbacks?

Pick the safest approach.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Docker in Development
Back to Docker and Containerization
Optimizing Docker Images→