Chaos and Order

Chaos and Order https://www.youngju.dev/blog 천천히 올바르게. AI Researcher & DevOps Engineer Youngju's tech blog. GPU/CUDA, LLM, MLOps, Kubernetes AI workloads, distributed training, and data engineering. ko fjvbn2003@gmail.com (Youngju Kim) fjvbn2003@gmail.com (Youngju Kim) Sat, 16 May 2026 00:00:00 GMT https://www.youngju.dev/blog/culture/2026-05-16-container-registries-2026-docker-hub-ghcr-ecr-harbor-quay-zot-cosign-sigstore-deep-dive.en Container Registries in 2026 — Docker Hub / GHCR / ECR / Harbor / Quay / Zot / Cosign + Sigstore Deep Dive https://www.youngju.dev/blog/culture/2026-05-16-container-registries-2026-docker-hub-ghcr-ecr-harbor-quay-zot-cosign-sigstore-deep-dive.en In 2026, container registries are no longer just a docker push away. Following Docker Hub pricing changes, GHCR has effectively become the OSS standard. Harbor has matured into the self-hosting default as a CNCF graduated project, while Zot has carved out the emerging OCI-only simplicity niche. ECR Public stands as the free Quay alternative, and Google Artifact Registry has fully replaced GCR. On top of all that sit Cosign + Sigstore signing, in-toto supply-chain attestations, CycloneDX and SPDX SBOMs, and ORAS-powered generic OCI artifacts — the registry is no longer an image store but the central hub of supply-chain security. This post compares 13 registries, signing tools, and SBOM standards in one breath, traces the real choices made by Toss, KakaoPay, Mercari, and LINE, and gives you a matrix of who should pick what. Sat, 16 May 2026 00:00:00 GMT fjvbn2003@gmail.com (Youngju Kim) containerregistrydocker-hubghcrecrgcracrharborquayzotartifactorydistributioncosignsigstorein-totosbomcyclonedxspdxnotaryoras2026deep-diveenglish https://www.youngju.dev/blog/culture/2026-05-16-container-registries-2026-docker-hub-ghcr-ecr-harbor-quay-zot-cosign-sigstore-deep-dive.ja コンテナレジストリ 2026 — Docker Hub / GHCR / ECR / Harbor / Quay / Zot / Cosign + Sigstore 徹底比較 https://www.youngju.dev/blog/culture/2026-05-16-container-registries-2026-docker-hub-ghcr-ecr-harbor-quay-zot-cosign-sigstore-deep-dive.ja 2026 年のコンテナレジストリは、もう docker push 一発で終わる世界ではない。Docker Hub の価格変更以降、GHCR が事実上 OSS の標準となり、Harbor は CNCF graduated として自社ホスティングのデフォルトに、Zot は OCI-only のシンプルさで emerging 領域を獲得した。ECR Public は無料の Quay 代替として定着し、Google Artifact Registry が GCR を完全に置き換えた。さらに Cosign + Sigstore による署名、in-toto によるサプライチェーン証言、CycloneDX・SPDX SBOM、ORAS による generic OCI artifact まで — レジストリはもはやイメージの保管庫ではなく、サプライチェーンセキュリティの中心ハブだ。本稿は 13 のレジストリ・署名ツール・SBOM 規格を一息に比較し、トス・カカオペイ・メルカリ・LINE の実戦的選択を辿り、誰が何を選ぶべきかをマトリクスにする。 Sat, 16 May 2026 00:00:00 GMT fjvbn2003@gmail.com (Youngju Kim) containerregistrydocker-hubghcrecrgcracrharborquayzotartifactorydistributioncosignsigstorein-totosbomcyclonedxspdxnotaryoras2026deep-dive日本語 https://www.youngju.dev/blog/culture/2026-05-16-container-registries-2026-docker-hub-ghcr-ecr-harbor-quay-zot-cosign-sigstore-deep-dive 컨테이너 레지스트리 2026 — Docker Hub / GHCR / ECR / Harbor / Quay / Zot / Cosign + Sigstore 심층 비교 https://www.youngju.dev/blog/culture/2026-05-16-container-registries-2026-docker-hub-ghcr-ecr-harbor-quay-zot-cosign-sigstore-deep-dive 2026년 컨테이너 레지스트리는 더 이상 docker push 한 줄로 끝나지 않는다. Docker Hub의 가격 정책 변화 이후 GHCR가 사실상 OSS 표준이 되었고, Harbor가 CNCF graduated 프로젝트로 셀프호스팅의 기본값이 되었으며, Zot이 OCI-only 단순성으로 emerging 영역을 차지했다. ECR Public이 무료 Quay 대안으로 자리잡고, Google Artifact Registry가 GCR을 완전히 대체했다. 그리고 그 위에 Cosign + Sigstore의 서명, in-toto의 공급망 증언, CycloneDX·SPDX SBOM, ORAS의 generic OCI artifact까지 — 레지스트리는 이미지 저장소가 아니라 공급망 보안의 중심 허브가 되었다. 이 글은 13개 레지스트리·서명 도구·SBOM 표준을 한 호흡에 비교하고, 토스·카카오 페이·메르카리·LINE의 실전 선택을 따라가며, 누가 무엇을 골라야 하는지 매트릭스로 정리한다. Sat, 16 May 2026 00:00:00 GMT fjvbn2003@gmail.com (Youngju Kim) containerregistrydocker-hubghcrecrgcracrharborquayzotartifactorydistributioncosignsigstorein-totosbomcyclonedxspdxnotaryoras2026deep-dive https://www.youngju.dev/blog/culture/2026-05-16-software-supply-chain-security-2026-sigstore-slsa-sbom-cyclonedx-spdx-chainguard-socket-jfrog-xray-snyk-deep-dive.en Software Supply Chain Security 2026 — Sigstore, SLSA, SBOM (CycloneDX/SPDX), Chainguard Images, Socket.dev, JFrog Xray, Snyk Open Source, GUAC, in-toto, GitHub Actions OIDC Deep Dive https://www.youngju.dev/blog/culture/2026-05-16-software-supply-chain-security-2026-sigstore-slsa-sbom-cyclonedx-spdx-chainguard-socket-jfrog-xray-snyk-deep-dive.en As of May 2026, software supply chain security is no longer optional. The 2020 SolarWinds Orion breach, the 2021 Log4Shell crisis, the March 2024 XZ Utils backdoor (the Jia Tan affair), and the steady drumbeat of npm and PyPI typosquats made that clear. The US followed Executive Order 14028 (2021) with the CISA Secure Software Development Attestation Form (2024); the EU adopted the Cyber Resilience Act in October 2024. In the same window Sigstore (cosign, fulcio, rekor), SLSA v1.1, in-toto, GUAC, CycloneDX 1.6, and SPDX 3.0 became standard candidates, while Chainguard Images, Wolfi OS, Socket.dev, JFrog Xray, Snyk Open Source, Endor Labs, and Phylum became commercial mainstays. This piece walks through 60 plus tools, standards, and incidents in one breath. Sat, 16 May 2026 00:00:00 GMT fjvbn2003@gmail.com (Youngju Kim) software-supply-chainsigstoreslsasbomcyclonedxspdxchainguardsocket-devjfrog-xraysnykguacin-totoenglish https://www.youngju.dev/blog/culture/2026-05-16-software-supply-chain-security-2026-sigstore-slsa-sbom-cyclonedx-spdx-chainguard-socket-jfrog-xray-snyk-deep-dive.ja ソフトウェアサプライチェーンセキュリティ 2026 完全ガイド - Sigstore · SLSA · SBOM (CycloneDX/SPDX) · Chainguard Images · Socket.dev · JFrog Xray · Snyk Open Source · GUAC · in-toto · GitHub Actions OIDC 詳細解説 https://www.youngju.dev/blog/culture/2026-05-16-software-supply-chain-security-2026-sigstore-slsa-sbom-cyclonedx-spdx-chainguard-socket-jfrog-xray-snyk-deep-dive.ja 2026年5月時点で、ソフトウェアサプライチェーンセキュリティはもはやオプションではない。2020年のSolarWinds Orion事件、2021年のLog4Shell、2024年3月のXZ Utilsバックドア（Jia Tan事件）、そして毎週繰り返されるnpm・PyPIタイポスクワッティングがそれを証明した。米国は大統領令14028（2021年）に続き、CISA Secure Software Development Attestation Form（2024年）を義務化、EUはCyber Resilience Actを2024年10月に採択した。その間にSigstore（cosign・fulcio・rekor）、SLSA v1.1、in-toto、GUAC、CycloneDX 1.6、SPDX 3.0が標準候補として確立され、Chainguard Images・Wolfi OS・Socket.dev・JFrog Xray・Snyk Open Source・Endor Labs・Phylumが商用ツールとして定着した。本稿では60以上のツール・標準・事件を一気に解説する。 Sat, 16 May 2026 00:00:00 GMT fjvbn2003@gmail.com (Youngju Kim) software-supply-chainsigstoreslsasbomcyclonedxspdxchainguardsocket-devjfrog-xraysnykguacin-toto日本語 https://www.youngju.dev/blog/culture/2026-05-16-software-supply-chain-security-2026-sigstore-slsa-sbom-cyclonedx-spdx-chainguard-socket-jfrog-xray-snyk-deep-dive 소프트웨어 공급망 보안 2026 완벽 가이드 - Sigstore · SLSA · SBOM (CycloneDX/SPDX) · Chainguard Images · Socket.dev · JFrog Xray · Snyk Open Source · GUAC · in-toto · GitHub Actions OIDC 심층 분석 https://www.youngju.dev/blog/culture/2026-05-16-software-supply-chain-security-2026-sigstore-slsa-sbom-cyclonedx-spdx-chainguard-socket-jfrog-xray-snyk-deep-dive 2026년 5월 기준 소프트웨어 공급망 보안은 더 이상 옵션이 아니다. 2020년 SolarWinds Orion 사건, 2021년 Log4Shell, 2024년 3월 XZ Utils 백도어(Jia Tan 사건), 그리고 매주 반복되는 npm·PyPI 타이포스쿼팅이 그 사실을 증명했다. 미국은 행정명령 14028(2021)에 이어 CISA Secure Software Development Attestation Form(2024)을 의무화했고, EU는 Cyber Resilience Act를 2024년 10월에 채택했다. 그 사이에 Sigstore(cosign · fulcio · rekor), SLSA v1.1, in-toto, GUAC, CycloneDX 1.6, SPDX 3.0이 표준 후보로 자리 잡았고, Chainguard Images · Wolfi OS · Socket.dev · JFrog Xray · Snyk Open Source · Endor Labs · Phylum이 상용 도구로 자리 잡았다. 이 글은 60여 개 도구·표준·사건을 한 호흡으로 정리한다. Sat, 16 May 2026 00:00:00 GMT fjvbn2003@gmail.com (Youngju Kim) software-supply-chainsigstoreslsasbomcyclonedxspdxchainguardsocket-devjfrog-xraysnykguacin-toto