GitHub Container Registry vs Docker Hub vs ECR — Which Should You Use? (2026)
Where you store your Docker images matters for cost, security, and CI/CD speed. Here's a detailed comparison of GHCR, Docker Hub, and AWS ECR to help you pick the right one.
Every team needs a container registry. Three dominate: GitHub Container Registry (GHCR), Docker Hub, and AWS ECR. They have very different pricing, access models, and CI/CD integrations. Here's the full comparison.
What Is a Container Registry?
A container registry stores Docker images. Your CI pipeline pushes images after build, and your Kubernetes cluster pulls them at deploy time.
CI/CD (build) → push → Registry → pull → Kubernetes (deploy)
The registry sits in the critical path of every deployment.
Docker Hub
The original. Most FROM statements in Dockerfiles pull from Docker Hub.
Pricing (2026)
| Plan | Price | Private repos | Pull rate limit |
|---|---|---|---|
| Free | $0 | 1 | 100 pulls/6hr (unauthenticated), 200 (authenticated) |
| Pro | $5/month | Unlimited | Unlimited |
| Team | $15/user/month | Unlimited | Unlimited |
Pros
- Universal — every tool works with Docker Hub by default
- Huge public image library (nginx, postgres, node, etc.)
- Simple to use —
docker push username/myimage:tag - Docker Scout for vulnerability scanning (free tier)
Cons
- Rate limiting is brutal — 100 pulls/6hr per IP on free tier. In CI with shared runners, you'll hit this constantly
- Slower pull speeds vs cloud-native registries
- Public images are truly public
- Outages affect everyone (it's happened)
Best for
- Public open-source images
- Small personal projects
- When you need maximum compatibility
GitHub Container Registry (GHCR)
Launched 2020. Integrated into GitHub Packages.
Pricing (2026)
| GitHub Plan | Storage | Bandwidth | Cost |
|---|---|---|---|
| Free (public repos) | Unlimited | Unlimited | $0 |
| Free (private repos) | 500 MB | 1 GB/month | $0, then $0.25/GB |
| Pro/Team | 2 GB storage | 10 GB/month | $4-$4.50/user/month |
| Enterprise | More | More | Custom |
Public repos = completely free, unlimited storage and bandwidth.
Authentication
# Login with GitHub token
echo $GITHUB_TOKEN | docker login ghcr.io -u USERNAME --password-stdin
# Push image
docker tag my-app ghcr.io/username/my-app:latest
docker push ghcr.io/username/my-app:latestGitHub Actions integration
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }} # ← automatic, no setup
- name: Build and push
uses: docker/build-push-action@v5
with:
push: true
tags: ghcr.io/${{ github.repository }}:${{ github.sha }}GITHUB_TOKEN is automatic — zero secret setup for GitHub Actions pipelines.
Pros
- Free for public repos (unlimited)
- Native GitHub Actions integration — no secrets needed
- No rate limiting in GitHub Actions
- Package visibility tied to repo visibility
- Works with GitHub's OIDC for keyless auth
Cons
- Only makes sense if you're already on GitHub
- Private image costs add up for large teams
- Less universal than Docker Hub outside GitHub ecosystem
Best for
- Open-source projects
- Teams using GitHub Actions for CI/CD
- Replacing Docker Hub to avoid rate limits
AWS ECR (Elastic Container Registry)
AWS-native, designed for EKS and ECS.
Pricing (2026)
| Public ECR | Private ECR | |
|---|---|---|
| Storage | 50 GB free | 500 MB free, then $0.10/GB/month |
| Pull (same region) | Free | Free |
| Pull (cross-region) | $0.09/GB | $0.09/GB |
| Pull (internet) | Free (50 GB) | $0.09/GB |
Private ECR: no free pull between ECR and EKS in the same region. Very cost-effective for AWS-native workloads.
Authentication
ECR uses short-lived tokens (12 hours) — no long-lived passwords.
# Get login token (expires in 12hr)
aws ecr get-login-password --region us-east-1 | \
docker login --username AWS --password-stdin \
123456789.dkr.ecr.us-east-1.amazonaws.com
# Push
docker tag my-app 123456789.dkr.ecr.us-east-1.amazonaws.com/my-app:latest
docker push 123456789.dkr.ecr.us-east-1.amazonaws.com/my-app:latestEKS integration (no credentials needed)
EKS nodes automatically authenticate to ECR in the same account — zero credential setup for pulls.
# In your K8s deployment — no imagePullSecrets needed
containers:
- image: 123456789.dkr.ecr.us-east-1.amazonaws.com/my-app:latestECR features
- Lifecycle policies — auto-delete old images: keep last 10 tags, delete untagged after 1 day
- Image scanning — built-in Trivy/Snyk-powered scan on push
- Immutable tags — prevent overwriting a tag (production safety)
- Cross-account replication — replicate to other AWS accounts
- Pull-through cache — cache Docker Hub images to avoid rate limits
# Lifecycle policy example
{
"rules": [{
"rulePriority": 1,
"description": "Keep last 10 images",
"selection": {"tagStatus": "any", "countType": "imageCountMoreThan", "countNumber": 10},
"action": {"type": "expire"}
}]
}Pros
- Native EKS/ECS integration (no credentials)
- Fine-grained IAM-based access control
- Lifecycle policies keep storage costs low
- Same region pulls are fast and free
- Immutable tags for production safety
Cons
- Complex authentication (12hr tokens, needs refresh in CI)
- Only makes sense if you're on AWS
- Cross-region costs add up
- More setup than GHCR for CI/CD
Best for
- Teams running on EKS or ECS
- Production workloads on AWS
- When you need IAM-based access control
Side-by-Side Comparison
| Feature | Docker Hub | GHCR | AWS ECR |
|---|---|---|---|
| Free private repos | 1 | 500 MB | 500 MB |
| Pull rate limits | Yes (harsh) | No | No |
| GitHub Actions auth | Secret needed | Automatic | IAM/OIDC |
| K8s pull (EKS) | imagePullSecrets | imagePullSecrets | Automatic |
| Image scanning | Yes (Scout) | No native | Yes (built-in) |
| Lifecycle policies | No | No | Yes |
| Immutable tags | No | No | Yes |
| Public image hosting | Excellent | Good | Good (ECR Public) |
| Price (private, 10GB) | $5/month (Pro) | ~$2.25/month | ~$0.95/month |
Which Should You Use?
Use GHCR if:
✅ Your code is on GitHub
✅ You use GitHub Actions for CI/CD
✅ Open-source project (completely free)
✅ You want to avoid Docker Hub rate limits without cost
Use ECR if:
✅ You're deploying to EKS or ECS
✅ You need IAM-based access control
✅ You want lifecycle policies for cost management
✅ Full AWS stack (no reason to go outside AWS)
Use Docker Hub if:
✅ You're publishing public images for the community
✅ Maximum compatibility with all tools
✅ Personal projects (free tier is fine)
The common pattern in 2026:
GHCR for CI artifacts + ECR for production — build in GitHub Actions, push to GHCR (free), promote tagged releases to ECR for EKS deployment.
Learn More
- AWS Free Tier — 500 MB ECR free for 12 months
- KodeKloud Docker Course — hands-on image registry labs
Stay ahead of the curve
Get the latest DevOps, Kubernetes, AWS, and AI/ML guides delivered straight to your inbox. No spam — just practical engineering content.
Related Articles
Best DevOps Tools Every Engineer Should Know in 2026
A comprehensive guide to the essential DevOps tools for containers, CI/CD, infrastructure, monitoring, and security — curated for practicing engineers.
Build a Docker CI/CD Pipeline with GitHub Actions and AWS ECR (2026)
Step-by-step guide to building a production CI/CD pipeline that builds, scans, and pushes Docker images to AWS ECR using GitHub Actions.
AWS DevOps Tools — CodePipeline to EKS Complete Overview
A complete guide to AWS DevOps services — CI/CD pipelines, container orchestration, infrastructure as code, monitoring, and security best practices.