Protected container repositories
- Tier: Free, Premium, Ultimate
- Offering: GitLab.com, GitLab Self-Managed
By default, any user with at least the Developer role can push and delete container images to or from container repositories. Protect a container repository to restrict which users can make changes to container images in your container repository.
When a container repository is protected, the default behavior enforces these restrictions on the container repository and its images:
| Action | Minimum role |
|---|---|
| Protect a container repository and its container images. | The Maintainer role. |
| Push or create a new image in a container repository. | The role set in the Minimum access level for push setting. |
| Push or update an existing image in a container repository. | The role set in the Minimum access level for push setting. |
You can use a wildcard (*) to protect multiple container repositories with the same container protection rule.
For example, you can protect different container repositories containing temporary container images built during a CI/CD pipeline.
The following table contains examples of container protection rules that match multiple container repositories:
| Path pattern with wildcard | Example matching container repositories |
|---|---|
group/container-* | group/container-prod, group/container-prod-sha123456789 |
group/*container | group/container, group/prod-container, group/prod-sha123456789-container |
group/*container* | group/container, group/prod-sha123456789-container-v1 |
You can apply several protection rules to the same container repository. A container repository is protected if at least one protection rule matches.
Create a container repository protection rule
Prerequisites:
- You must have at least the Maintainer role.
To create a protection rule:
- On the left sidebar, select Search or go to and find your project.
- Select Settings > Packages and registries.
- Expand Container registry.
- Under Protected container repositories, select Add protection rule.
- Complete the fields:
- Repository path pattern is a container repository path you want to protect.
The pattern can include a wildcard (
*). - Minimum access level for push describes the minimum access level required to push (create or update) to the protected container repository path.
- Repository path pattern is a container repository path you want to protect.
The pattern can include a wildcard (
- Select Protect.
The protection rule is created and the container repository is now protected.
Delete a container repository protection rule
Prerequisites:
- You must have at least the Maintainer role.
To delete a protection rule:
- On the left sidebar, select Search or go to and find your project.
- Select Settings > Packages and registries.
- Expand Container registry.
- Under Protected container repositories, next to the protection rule you want to delete, select Delete ( ).
- On the confirmation dialog, select Delete.
The protection rule is deleted and the container repository is no longer protected.
Docs
Edit this page to fix an error or add an improvement in a merge request.
Create an issue to suggest an improvement to this page.
Product
Create an issue if there's something you don't like about this feature.
Propose functionality by submitting a feature request.
Feature availability and product trials
View pricing to see all GitLab tiers and features, or to upgrade.
Try GitLab for free with access to all features for 30 days.
Get help
If you didn't find what you were looking for, search the docs.
If you want help with something specific and could use community support, post on the GitLab forum.
For problems setting up or using this feature (depending on your GitLab subscription).
Request support