diff --git a/docs/docs/30-administration/22-backends/10-docker.md b/docs/docs/30-administration/22-backends/10-docker.md
index b2e60b46c..f73d3c7ca 100644
--- a/docs/docs/30-administration/22-backends/10-docker.md
+++ b/docs/docs/30-administration/22-backends/10-docker.md
@@ -14,6 +14,18 @@ Set to the name of an existing network which will be attached to all your pipeli
 
 Enable IPv6 for the networks used by pipeline containers (steps). Make sure you configured your docker daemon to support IPv6.
 
+## Docker credentials
+
+Woodpecker supports [Docker credentials](https://github.com/docker/docker-credential-helpers) to securely store registry credentials. Install your corresponding credential helper and configure it in your Docker config file passed via [`WOODPECKER_DOCKER_CONFIG`](/docs/administration/server-config#woodpecker_docker_config).
+
+To add your credential helper to the Woodpecker server container you could use the following code to build a custom image:
+
+```dockerfile
+FROM woodpeckerci/woodpecker-server:latest-alpine
+
+RUN apk add -U --no-cache docker-credential-ecr-login
+```
+
 ## Podman support
 
 While the agent was developped with Docker/Moby, Podman can also be used by setting the environment variable `DOCKER_SOCK` to point to the podman socket. In order to work without workarounds, Podman 4.0 (or above) is required.
diff --git a/server/plugins/registry/filesystem.go b/server/plugins/registry/filesystem.go
index 6f32be55a..c525b4637 100644
--- a/server/plugins/registry/filesystem.go
+++ b/server/plugins/registry/filesystem.go
@@ -40,6 +40,13 @@ func parseDockerConfig(path string) ([]*model.Registry, error) {
 		return nil, err
 	}
 
+	for registryHostname := range configFile.CredentialHelpers {
+		newAuth, err := configFile.GetAuthConfig(registryHostname)
+		if err == nil {
+			configFile.AuthConfigs[registryHostname] = newAuth
+		}
+	}
+
 	for addr, ac := range configFile.AuthConfigs {
 		if ac.Auth != "" {
 			ac.Username, ac.Password, err = decodeAuth(ac.Auth)