diff --git a/go.mod b/go.mod
index e2f8536a1..b0fef95bc 100644
--- a/go.mod
+++ b/go.mod
@@ -14,6 +14,7 @@ require (
 	github.com/cyphar/filepath-securejoin v0.4.1
 	github.com/distribution/distribution/v3 v3.0.0
 	github.com/evanphx/json-patch/v5 v5.9.11
+	github.com/fatih/color v1.13.0
 	github.com/fluxcd/cli-utils v0.36.0-flux.14
 	github.com/foxcpp/go-mockdns v1.1.0
 	github.com/gobwas/glob v0.2.3
@@ -70,7 +71,6 @@ require (
 	github.com/docker/go-metrics v0.0.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
-	github.com/fatih/color v1.13.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fxamacker/cbor/v2 v2.8.0 // indirect
 	github.com/go-errors/errors v1.5.1 // indirect
diff --git a/pkg/registry/client.go b/pkg/registry/client.go
index 3ea68f181..042f06065 100644
--- a/pkg/registry/client.go
+++ b/pkg/registry/client.go
@@ -128,7 +128,13 @@ func NewClient(options ...ClientOption) (*Client, error) {
 		}
 		authorizer.SetUserAgent(version.GetUserAgent())
 
-		authorizer.Credential = credentials.Credential(client.credentialsStore)
+		if client.username != "" && client.password != "" {
+			authorizer.Credential = func(_ context.Context, hostport string) (auth.Credential, error) {
+				return auth.Credential{Username: client.username, Password: client.password}, nil
+			}
+		} else {
+			authorizer.Credential = credentials.Credential(client.credentialsStore)
+		}
 
 		if client.enableCache {
 			authorizer.Cache = auth.NewCache()