AppSec expert Niroshan Rajadurai says putting developers at the center of everything will enable you to meet your security goals.
Since releasing GitHub Packages last year, hundreds of millions of packages have been downloaded from GitHub, with Docker as the second most popular ecosystem in Packages behind npm. Our users are leaning increasingly towards containers, Kubernetes, and other cloud-native technologies to manage their entire application lifecycle – not just through development, release, and deployment, but for production operations as well.
While GitHub Packages already gives teams greater traceability of their software supply chain, today we’re adding new capabilities to improve the experience and performance it provides for developers with GitHub Container Registry.
Available today as a public beta, GitHub Container Registry improves how we handle containers within GitHub Packages. With the new capabilities introduced today, you can better enforce access policies, encourage usage of a standard base image, and promote innersourcing through easier sharing across the organization.
Our users have asked for anonymous access for public container images, similar to how we enable anonymous access to public repositories of source code today. Anonymous access is available with GitHub Container Registry today, and we’ve gotten things started today by publishing a public image of our own super-linter. GitHub Container Registry is free for public images. Container Registry is free for private images during the beta, and as part of GitHub Packages will follow the same pricing model when generally available.
To better support collaboration across teams, and help our customers reinforce best practices for their releases, we’re also introducing data sharing and fine-grained permissions for containers across the organization. By publishing container images with the organization, teams can more easily and securely share them with other developers on the team. And by separating permissions for the package from those for its source code, teams can restrict publishing to a smaller set of users, or enforce other release policies.
With GitHub Actions, publishing to GitHub Container Registry is easy. Actions automatically suggests workflows for you based on your work, and we’ve updated the “Publish Docker Container” workflow template to make publishing straightforward.
For those using the current Docker service within GitHub Packages, we’ve also provided guidance on migrating your images.
Going forward, we’ll continue to provide updates on our plans for GitHub Container Registry through the GitHub public roadmap. We’ll be sharing information there shortly about our plans to support more open standards for cloud-native development, including Helm 3 charts for Kubernetes applications and using Container Registry for universal storage.
We’re looking forward to hearing from you on how we can make GitHub Packages and GitHub Container Registry even better – you can reach us on our community forums, or provide feedback directly to the product teams.