Skip to content
Switch branches/tags

Latest commit

* Project status update, reflecting reference type development and the Reference Type WG Proposal
* Incorporate feedback from @dmcgowan, @mikebrow

Signed-off-by: Steve Lasker <>

Git stats


Failed to load latest commit information.

OCI Artifacts

Artifact Guidance Documents

  1. Artifact Author Guidance

Supporting Documents

Project Introduction and Scope

Container registries, implementing the distribution-spec, provide reliable, highly scalable, secured storage services for container images. Customers either use a cloud provider implementation, vendor implementations, or instance the open source implementation of distribution. They configure security and networking to assure the images in the registry are locked down and accessible by the resources required. Cloud providers and vendors often provide additional values atop their registry implementations from security to productivity features.

Applications and services typically require additional artifacts to deploy and manage, including helm for deployment and Open Policy Agent (OPA) for policy enforcement.

Utilizing the manifest and index definitions, new artifacts, such as the Singularity project, can be stored and served using the distribution-spec.

This repository provides a reference for artifact authors and registry implementors for supporting new artifact types with the existing implementations of distribution. More particularly this repository has been tasked by the OCI TOB to serve 3 primary goals:

  1. artifact authors - guidance for authoring new artifact types. Including a clearing house for well known artifact types.
  2. registry operators and vendors - guidance for how operators and vendors can support new artifact types, including how they can opt-in or out of well known artifact types. Registry operators that already implement media-type filtering will not have to change. The artifact repo will provide context on how new media-types can be used, and how media-types can be associated with a type of artifact.
  3. clearing house for well known artifacts - artifact authors can submit their artifact definitions, providing registry operators a list by which they can easily support.

By providing an OCI artifact definition, the community can continue to innovate, focusing on new artifact types without having to build yet another storage solution (YASS).

Project Status

The current state of the OCI Artifacts repository:

  • The repository contains guidance for using v1.0.1 of the OCI image manifest representing individual non-container image artifact types.
  • This project recognizes that additional work is needed to find ways to improve existing OCI artifact types, such as OCI images, to formally include a software bill of materials (SBOMs), scan results, signatures, and other OCI artifact related extensions. Depending on the implementation chosen, additional APIs to manage these extensions may also be needed. We believe these requirements will either require modifications to the existing specs or some new specification depending on the output of various working groups.
    This project, however, does not currently have the mission to create new specifications or commit changes to the existing specifications.
  • External to OCI there exists an active community of developers working under the oras-project/artifacts-spec repository on proposed changes to the OCI specifications.
  • An OCI working group for reference types has been proposed to work out how OCI should adopt these extensions.

Project Governance and License

Code of Conduct

This project incorporates (by reference) the OCI Code of Conduct.

Governance and Releases

This project incorporates the Governance and Releases processes from the OCI project template:

Project Communications

This project would continue to use existing channels in use by the OCI developer community for communication

Versioning / Roadmap

Artifacts will reference specific distribution, index and manifest versions in its examples, identifying any dependencies required.

Frequently Asked Questions (FAQ)

Q: Does this change the OCI Charter or Scope Table?

A: No. Artifacts are a prescriptive means of storing index and manifest within distribution implementations.