Skip to main content

Overview

If your workloads use images from private container registries, Niro can store your credentials and automatically inject them as imagePullSecrets into generated manifests. Credentials are encrypted at rest and are never returned in plaintext after saving.

Supported registries

Niro works with any container registry that accepts Docker-style credentials:
RegistryNotes
Docker Hubdocker.io — use a personal access token, not your password
GitHub Container Registry (GHCR)ghcr.io — use a GitHub personal access token with read:packages scope
Amazon ECR<account>.dkr.ecr.<region>.amazonaws.com — use an IAM access key or token
Google Artifact Registry / GCRgcr.io, <region>-docker.pkg.dev — use a service account JSON key
GenericAny registry with username/password or token authentication
Niro also detects when a manifest references a known-private registry (GHCR, ECR, GCR, Quay.io) without an imagePullSecret. The public-image-no-credential policy finding will fire as a reminder to add credentials.

Adding a registry

Go to Registries in the sidebar and click Add registry.
FieldDescription
Registry URLThe registry hostname, e.g. ghcr.io, docker.io, 123456789.dkr.ecr.us-east-1.amazonaws.com
UsernameYour registry username or access key ID
Password / TokenYour registry password, personal access token, or secret access key
NameA label for this credential (e.g. ghcr-my-org, ecr-prod)
Click Save. Niro verifies the credentials by attempting to authenticate with the registry before saving.

Using registry credentials in the builder

When creating a deployment with the Visual Builder, select a registry credential from the Registry dropdown in the Workload section. Niro will:
  1. Inject the credential as a Kubernetes Secret of type kubernetes.io/dockerconfigjson into the generated manifests
  2. Add the imagePullSecret reference to the Deployment’s pod spec
The injected Secret is applied to the same namespace as the workload.

Using registry credentials in GitOps

For GitOps deployments, Niro injects imagePullSecrets into the manifests it posts to GitHub. The registry credentials are resolved at manifest generation time based on the registry hostname in the image reference. If a manifest in your repo already has imagePullSecrets, Niro respects them and doesn’t override.

Rotating credentials

To rotate a registry credential:
  1. Go to Registries and click the credential to edit
  2. Enter the new password/token
  3. Save — Niro verifies the new credentials before overwriting
The next time a deployment is applied, the new credential is used.

Policy detection

If a manifest references a known-private registry without an imagePullSecret, the public-image-no-credential policy rule fires at:
  • Build time — inline warning in the visual builder
  • Merge time — PR comment on the relevant manifest file
  • Runtime — finding on the live pod state (if the pod is actually crashing due to pull errors, a separate ImagePullBackOff incident also fires)
  • Visual Builder — using the registry picker in the deployment form
  • Policiespublic-image-no-credential rule and other standards checks
  • Plans — registry storage is available on all plans
Last modified on June 12, 2026