Harbor Stack is a private OCI registry that signs, attests, and gates every image you ship. The moment a layer lands, it's signed keylessly, fingerprinted with an SBOM, and stamped with SLSA build provenance — and the admission controller refuses anything that can't prove where it came from. The chain holds, or the pod never starts.
$ docker push registry.acme.internal/api:1.9.0
→ pushed 7 layers digest sha256:7f3a…c10b (42.6 MB)
harbor hook:on-push pipeline=sign+attest
✓ cosign sign keyless via OIDC (ci@acme.iam) 0.4s
✓ sbom generate syft → 218 packages, 0 unknown 1.1s
✓ provenance SLSA v1.0 build L3 git@a3f9c1 0.3s
✓ scan grype → 0 critical, 2 medium 2.7s
$ harbor verify registry.acme.internal/api:1.9.0
signature VALID issuer=ci@acme.iam fulcio root
provenance VALID builder=acme/ci rebuilt: match
policy PASS require-signed · max-sev<high
→ digest pinned · admission token issued · ttl 24h
$ _Gating every deploy for platform teams who treat the supply chain as evidence, not faith
What the chain looks like once it holds.
Most registries are a dumb bucket for tarballs — they'll hand back whatever someone pushed, signed or not. Harbor Stack treats every artifact as evidence: signed on arrival, scanned in place, and admitted only when the cluster can verify the chain end to end.
The moment a layer lands, Harbor Stack signs it with a short-lived certificate minted from your OIDC identity — your CI's own token, not a private key checked into a secrets manager. Signatures, attestations, and SBOMs are stored as OCI referrers next to the image, so verification is one HTTP call away. There is no keyring to rotate, no signing key to leak, and no human in the loop.
Harbor Stack runs an SBOM on ingest and binds SLSA v1.0 build provenance to the digest — every package, every layer, and the exact pipeline that produced it. When a CVE drops at midnight, you query the registry instead of grepping prod.
Images are scanned on push and rescanned as new advisories land — results pinned to the immutable digest, not a mutable tag someone can re-point. Severity gates are policy, so a fresh critical can quarantine a tag automatically.
A validating webhook verifies the signature, the provenance, and the policy before a pod is allowed to pull. Unsigned, unscanned, or out-of-policy images are rejected at admission — not discovered in an incident review three weeks later.
Pin a tag and it can never silently change underneath you. A pull-through cache mirrors upstream registries inside your perimeter, so a deleted public image or a rate limit never breaks a deploy.
Harbor Stack speaks plain OCI, so the docker push you already run doesn't change. The registry deploys inside your own cloud, talks to the CI and clusters you operate today, and never ships an image or a signature to a vendor backend.
Point docker, buildah, nerdctl, or your CI at one endpoint. No custom client, no proprietary push protocol — signing and attestation happen server-side on ingest.
A single binary runs the verify step in GitHub Actions, GitLab, Buildkite, or a Makefile. Gate the deploy on the exit code; fail closed when the chain doesn't hold.
Deploy single-tenant in your own cloud or fully air-gapped on-prem. Images, signatures, SBOMs, and scan results live in storage you control and never leave the perimeter.
Push, sign, verify, promote, and quarantine from the shell — or drive the same typed API the dashboard uses. The whole registry is scriptable.
Harbor Stack ports with a maintained set of admission policies written in plain Rego. Turn one on, watch what it would block in dry-run, then enforce. Your clusters inherit a strict supply-chain posture on day one.
Reject any pull whose digest lacks a valid keyless signature from an issuer on your allowlist. The baseline every cluster should run.
Admit only images whose SLSA provenance names a builder you operate. Blocks a hand-built image someone pushed from a laptop.
Quarantine any tag carrying a vulnerability above your threshold, and auto-quarantine when a fresh advisory crosses the line post-push.
Force deploys to pin by digest, not by a mutable tag like latest, so what passed verification is exactly what runs.
Refuse images without a complete software bill of materials, so every running container is one query away from a dependency answer.
Block pulls of images older than your window without a fresh re-scan, so a forgotten base image can't drift back into production.
“We flipped on require-signed in dry-run for a week, watched exactly which workloads would break, fixed the two pipelines that weren't signing, then enforced. Now an unsigned image physically cannot reach a cluster, and our SLSA evidence generates itself.”
“A critical dropped in a base layer at 1 a.m. Harbor Stack had already rescanned the digest, quarantined the tag, and paged us with the exact services pinned to it. The old workflow was a Monday spreadsheet and a lot of hoping.”
“Our auditor used to spend a day spelunking through CI logs to prove provenance. Now I hand them one verify command against a digest and they're done. The whole supply-chain section of the audit collapsed to an afternoon.”
Per-gigabyte storage pricing punishes you for keeping history and provenance. Harbor Stack bills for the clusters you protect, not the artifacts you store.
For one team standing up a private registry.
For platform teams gating every deploy.
For regulated, multi-region, air-gapped fleets.
No. Harbor Stack is a standards-compliant OCI registry — point docker, buildah, nerdctl, or your CI at one endpoint and push exactly as you do today. Signing, SBOM generation, and provenance happen server-side the instant the image lands, stored as OCI referrers next to the digest.
Instead of a long-lived private key sitting in a secrets manager waiting to leak, Harbor Stack mints a short-lived certificate from your CI's OIDC identity for each signature, bound to a transparency log. There's no keyring to rotate and no signing material to steal — the signer is your pipeline's own verified identity.
No. Harbor Stack deploys single-tenant inside your own cloud, or fully air-gapped on-prem. Images, signatures, SBOMs, scan results, and audit logs stay in infrastructure you control and never co-mingle with another customer's. You can pin data residency by region.
A validating webhook verifies the signature, provenance, and policy before the kubelet is allowed to pull. Every policy ships with a dry-run mode that logs what it would reject without blocking, so you measure the blast radius, fix the gaps, and only then fail closed.
Open ones. Signatures are Sigstore-compatible cosign, software bills of materials are SPDX or CycloneDX, and build provenance follows the SLSA v1.0 spec. Verification works with the standard cosign CLI, not just our binary, so you're never locked in.
Harbor Stack is SOC 2 Type II and ISO 27001 certified, writes an immutable audit log of every push, signature, and admission decision, and produces SLSA provenance you can hand an assessor as evidence. The supply-chain section of most audits becomes a single verify command.
Pull one binary, point your CI at it, and push an image — then watch it get signed, scanned, and pinned before you can refresh the tab. No sales call, no proprietary client, no artifact leaving your cloud.