Skip to main content

Oras

Oras is an open-source client and library that enables storing, discovering, and distributing OCI-compatible artifacts in container registries using the Open Container Initiative (OCI) distribution specification (container registry / software supply chain).

  • Pushes and pulls arbitrary OCI artifacts, such as Helm charts, configuration bundles, and SBOMs, to standard OCI registries (software supply chain).
  • Provides a Command-Line Interface (CLI) and Go library for working with OCI artifacts and registries using the OCI distribution specification (developer tooling).
  • Supports attaching artifacts to container images through OCI reference types and related mechanisms (software supply chain).
  • Integrates with existing OCI-compliant registries to reuse registry authentication, authorization, and lifecycle management (container registry integration).
  • Enables workflows for artifact discovery, content addressing, and reuse across cloud-native build and deployment pipelines (DevOps / Continuous Integration and Continuous Deployment (CI/CD)).

More About Oras

Oras is an open-source project that focuses on enabling the storage, discovery, and distribution of OCI-compatible artifacts in standard container registries (software supply chain). It builds on the Open Container Initiative (OCI) distribution specification to treat container registries as a general-purpose content distribution layer, not limited to container images. This allows platform teams and developers to manage diverse artifact types in the same infrastructure that already handles container images.

The Oras project provides both a CLI and a Go library (developer tooling) that allow users to push and pull arbitrary OCI artifacts such as configuration bundles, Helm charts, software bills of materials (SBOMs), policies, and other metadata. By leveraging OCI media types and manifests, Oras packages these artifacts in a format that registries implementing the OCI distribution specification can store and serve.

Oras supports attaching related artifacts to base container images through mechanisms aligned with OCI reference types (software supply chain). This enables use cases where SBOMs, security scan results, provenance data, or documentation are associated with an image and discoverable via the registry. Enterprises can use this to keep operational and security metadata close to the workloads they describe, while still using existing registry access controls and APIs.

In enterprise environments, Oras is used to unify artifact storage on top of existing OCI-compliant registries (container registry integration). Organizations that already run or consume container registries can extend those platforms to manage additional artifact classes without deploying a separate artifact server. This can simplify DevOps and platform engineering workflows by centralizing distribution, mirroring, caching, and access management for both images and non-image artifacts.

From an architectural perspective, Oras operates as a client and library on top of the OCI distribution protocol (container registry / protocol client). It interacts with registries using standard Hypertext Transfer Protocol (HTTP) APIs and OCI specifications, allowing it to interoperate with a wide range of registry implementations as long as they implement the relevant parts of the OCI distribution spec. Its Go Software Development Kit (SDK) can be embedded into other tools, controllers, or pipeline components that need programmatic access to OCI artifacts.

For ecosystem and extensibility, Oras aligns with broader cloud-native patterns promoted within the Cloud Native Computing Foundation (CNCF) (cloud-native tooling). It fits into workflows that involve container image build systems, policy engines, and supply chain security tools that need to publish or consume additional artifact types. In a technical directory, Oras can be categorized under container registry tooling, OCI artifact management, and cloud-native software supply chain enablement.