Treza Enclaves support deploying any publicly accessible Docker image directly from a container registry such as Docker Hub, GitHub Container Registry (GHCR), or any other OCI-compliant public registry. This is the fastest way to get an enclave running — no build step, no credentials, just an image URI.
How It Works
Public Container Registry
(Docker Hub, GHCR, etc.)
│
▼
Treza Platform
(image URI passed to provider)
│
▼
Treza Enclave
(image pulled and deployed into isolated enclave)
Step-by-step
Name your enclave — Give it a name and optional description.
Select Container Registry as the deployment source.
Enter your image URI — Provide the full image reference, e.g. nginx:alpine or ghcr.io/my-org/my-image:latest.
Configure your enclave — Set the provider region and any other settings.
Deploy — Treza provisions your enclave and pulls the image directly at runtime. No pre-build step is required.
Image URI Format
Format
Example
Notes
image
hello-world
Pulls latest from Docker Hub
image:tag
nginx:alpine
Specific tag from Docker Hub
registry/image:tag
ghcr.io/my-org/app:v1.2.0
Fully qualified registry reference
registry/namespace/image:tag
registry.example.com/team/service:stable
Custom registry with namespace
Note: The image must be publicly accessible. For private registries that require authentication, see Deploying from a Private Registry.
Supported Registries
Any OCI-compliant public registry is supported, including:
Docker Hub — docker.io (default when no registry prefix is specified)
GitHub Container Registry — ghcr.io
Google Container Registry — gcr.io
Amazon ECR Public — public.ecr.aws
Quay.io — quay.io
Any self-hosted public OCI registry
Enclave Statuses
Status
Description
PENDING_DEPLOY
Deployment has been queued
DEPLOYING
Enclave infrastructure is being provisioned and the image is being pulled
DEPLOYED
Enclave is live and running
FAILED
Deployment encountered an error — check the Infrastructure log tab
Using the CLI
For interactive prompts, omit the flags:
Finding Images
You can search Docker Hub directly from the Treza platform when entering your image URI. Start typing an image name and select from the results, or enter any fully qualified URI manually.
Popular images to get started:
Image
Description
hello-world
Minimal test image to verify the enclave runs
nginx:alpine
Lightweight web server
node:20-alpine
Node.js runtime
python:3.12-slim
Python runtime
Security
Images are pulled at deployment time from the public registry. The image digest is locked and recorded at the time of deployment.
Once inside the enclave, the image runs in a hardware-isolated environment (AWS Nitro Enclaves) with no persistent external network access unless explicitly configured.
Attestation PCR values reflect the exact image that was deployed, allowing any third party to independently verify the enclave workload.
Troubleshooting
Deployment failed: image not found
Verify the image URI is correct and the image is publicly accessible. Try pulling it locally first:
If the pull succeeds locally but the enclave deployment fails, the image may require authentication — use Private Registry deployment instead.
Deployment failed: unsupported architecture
Ensure the image supports the linux/amd64 architecture. Some images are only built for arm64. Check the image's Docker Hub page under OS/Arch tags.
