Checking a public container registry for mirrored, private images

[rdvansloten]

How are you running Renovate?

Self-hosted Renovate

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

GitHub, Renovate 41.28.0

Please tell us more about your question or problem

I have several YAML files (Helm values) with registry, tag, etc. as values. Our company's policies force us to mirror/upload public images into our private registry for security scanning and to make it so our compute can't just pull random stuff from the internet.

The issue with this pull-through method is that the private registry only has whatever version we currently run for an app, or the previous. Ergo, renovatebot will never find a newer version in this registry.

Examples:

containers:
      - name: runner
        image: myprivateregistry.azurecr.io/actions/actions-runner:v1.0
      - name: dind
        image: myprivateregistry.azurecr.io/library/docker:26.1.4-dind

image:
  repository: myprivateregistry.azurecr.io/rdvansloten/cert-manager-key-vault-sync
  tag: v1.2.0
  pullPolicy: Always

How could I make renovatebot parse these blocks of config (some charts put everything in image:, others split it out in tag: and registry:) and look at Docker Hub, Quay.io or GHCR registries instead?

Logs (if relevant)

Logs

[rarkins]

Try registryAliases

[neofilmraw]

Hey, I ran into this same problem recently with Renovate pulling from Docker Hub and hitting rate limits all the time — super frustrating in CI.

What worked for me was switching Renovate to use a public Docker mirror:
public-mirror.ratelimitshield.io — it's free and doesn't require any auth.

Just add this to your renovate.json:

{
"hostRules": [
{
"hostType": "docker",
"domainName": "public-mirror.ratelimitshield.io",
"username": "any",
"password": "any"
}
],
"registryAliases": {
"docker.io": "public-mirror.ratelimitshield.io"
}
}
After that, no more 429 errors and everything runs smoother. Might be helpful if you're running a lot of Renovate jobs across multiple repos like I am.

Hope it helps someone!