Container registry best practices

I would like to ask both the gitlab devs and the community what are the best security practices of using the built-in registry.

  1. It wasn’t apparent to me for a long time that the registry permissions are quite liberal: any developer may push to registry, including pushing from outside of CI, leaving only a timestamp but no trace of user identity.
  2. It seems natural to use the built-in registry to built the images that are used in CI.
  3. The combination of 1. and 2. effectively means that the developer users can elevate their privileges by getting access to the protected variables or effectively overwriting release artifacts (if I were to use the registry as a source for deploying).

The above is a known limitation #878, however from what I can see, it is not scheduled, and even if it was, it would only apply to the enterprise edition.

I’m developing open source exam grading software, where many developer-level users take exams graded by this software, and therefore the permission separation is crucial even though I trust the users. What would be the best practice here? Abandoning gitlab registry and using the docker hub seems like a possible, but not preferred solution.


the discussion in the linked epic is really lively and good with actions and issues linked. Please join the conversation and add your comment in there too! :100:


Thanks for the pointer. I have already commented in #878, but the issue is right now tagged for premium and also not scheduled. Discussing current best policies seems to be off-topic there. The epic seems to have a much broader scope, so I’m not sure how my question fits there.

For now I’m going to do the following:

  • Create a separate group and a publicly visible project that will hold the registry images
  • Generate a deploy token with registry write permissions for that project
  • Store that token as a protected variable in the original repository