Search the Community

Amazon Elastic Container Registry (ECR) Public has added new features that make it easier for customers to navigate the ECR Public Gallery and find the images they are looking for. New filters allow customers to search for images from well-known publishers such as Docker and Amazon, and a new landing page highlights those filters as well as other frequently used repositories. View the full article

Today, Amazon Elastic Container Registry Public (ECR Public) launched API support for listing tags for any repository in ECR Public. Now you can use Docker registry HTTP API v2 to list available tags in any public repository in addition to ECR Public gallery. View the full article

This blog focuses primarily on helping customers understand software supply chain security in the context of integrity and provenance—specifically, how cryptographic signatures can be used to simplify the process of ensuring the integrity of container images as they move through your software supply chain. We will also discuss how signing can help organizations validate their container images are coming from a trusted publisher, and how signing can be integrated with code scanning and approval workflows to facilitate a secure software supply chain. To be successful, signing and verification should be easily implemented and integrated with DevOps processes, ideally not placing undue burden on development teams to manage cryptographic keys and certificates. While this blog primarily covers signing container image manifests and related artifacts, cryptographic signatures can also be used to sign/verify documents, authentication tokens, software packages, and more. Today, building containers involves creating an image and putting it in a registry such as Amazon Elastic Container Registry Public (ECR Public), or Amazon ECR private registry; developers can then deploy containers from these repositories. Developers use code pipelines to build and deploy their container images. Building integrity verification for open source container images (as well as images built locally) into your CI/CD pipeline can reduce the risk of software supply chain attacks and provide continuous confidence to businesses using these container images across multiple business units. Put simply, we will examine the questions: What are cryptographic signatures, and how can they be used in a container build pipeline? How can organizations use signing to ensure that their container images are approved for use and have been verified as meeting their security standards? How can developers use signing to verify the container images they create haven’t been tampered with after they’re vetted and approved for use? View the full article

Amazon Lightsail now supports creating deployments for Lightsail container services using the container images on Amazon ECR private repositories. This launch will enable you to run containers with the simplified experience of Lightsail while utilizing the images you may already have in your private ECR repositories, thus enabling greater portability. View the full article

Amazon Elastic Container Registry Public (Amazon ECR Public) is a fully managed registry that makes it easy for a developer to publicly share container software worldwide for anyone to download. Anyone (with or without an AWS account) can use Amazon ECR Public to pull container software for use. Amazon ECR Public Gallery is a website that allows anyone to browse and search for public container images, view developer-provided details, and see pull commands. Developers no longer need to use different private and public registries when building and sharing their public container artifacts. And everyone, including anonymous users and logged-in AWS customers, can now pull artifacts from a highly available public registry using a single, global registry URL when building and running their applications. View the full article