Red Hat · Software · YoctoIT tech page

Quay

The enterprise container image registry: scanning, signing and geo-replication of the content that becomes production.

FOCUS · THE CONTAINER PANTRYImages are production software: they must be safeguarded as such
YoctoIT material for clients and partners · Red Hat, RHEL, OpenShift, Ansible and the other products mentioned are trademarks of Red Hat, Inc. o di sue affiliate.
01 · What it is

Red Hat Quay, made clear.

Every deploy starts from an image: Quay is the enterprise registry where images live governed — continuous vulnerability scanning (Clair), signing and provenance, RBAC per team, geo-replication across sites, mirroring of public registries. The software supply chain starts here.

Clair
every image scanned at every push and re-evaluated against new CVEs
Geo-replica
images close to every cluster: fast pulls, DR included
Signing
sigstore/cosign: only what's signed goes to production
Red Hat Quay
OFFICIAL RED HAT BRANDING · QUAY
CONSOLE REALE · QUAY · FONTE: RED HAT DOCS
REAL CONSOLE · QUAY · SOURCE: RED HAT DOCS
02 · How to use it well

The things that make the difference.

The supply chain

CI/CD pipelineimage builds and pushes
Scan
Sign
Replicate
security · trust · availability
Quay registryRBAC, quotas, audit
The clusters that pullonly verified content
From build to deploy, tracked

Mirrors of the public registries

Docker Hub and quay.io mirrored and scanned: you depend on your own pantry, not the internet.

Provenance policies

With ACS: only images signed by the company registry reach production.

Automatic cleanup

Tag lifecycle and garbage collection: the registry doesn't become a dump.

Air-gap ready

The internal registry for isolated environments, synchronized in a controlled way.

03 · In depth

Geo-replicated registry and supply chain

Quay serves images with RBAC per organization/team, robot accounts for pipelines, quotas per tenant; Clair scans every push and re-evaluates new CVEs against the backlog; geo-replication keeps blobs close to the clusters; mirror repositories reflect public registries inside; tag lifecycle stops the pile-up. Cosign signing and attestations close the chain: only what's signed reaches production.

  • Clair — scan on every push + rescans against new CVEs: the backlog never sleeps
  • Geo-replication — the same tags served from multiple regions: fast pulls and DR
  • Repo mirroring — Docker Hub/quay.io mirrored and scanned at home
  • Robot account — pipeline credentials with minimal permissions and rotation
  • Tag lifecycle — expiration and GC: the registry that doesn't become a dump
  • Cosign — signing and verification in admission (with ACS): provenance proven
04 · Numbers and lifecycle

The numbers that matter.

100%
of pushes scanned by Clair
N
sites in geo-replication: the pull always local
OCI
artifacts beyond images: helm charts and SBOMs
3.x
twice-yearly releases: the operator updates in rolling fashion
The registry is the software vault: mirroring, signing and automatic cleanup — the supply chain starts tidy.
05 · Use cases

Where it really pays off.

Software supply chain

Software provenance provable end-to-end.

Multi-site

Images replicated next to every cluster.

Isolated environments

Containers even where the internet doesn't reach.

Production is made of images: Quay keeps them clean, signed and available — we manage it.