ORAS

OCI Registry As Storage. Push and pull arbitrary artifacts — configs, binaries, Helm charts, SBOMs, signatures, Wasm modules — to/from any OCI-compliant registry.

Basic usage

# Push a file to a registry
oras push ghcr.io/myuser/myartifact:v1.0 myfile.tar.gz
 
# Push with media type
oras push ghcr.io/myuser/config:latest \
  --artifact-type application/vnd.myapp.config.v1 \
  config.json:application/json
 
# Pull artifacts
oras pull ghcr.io/myuser/myartifact:v1.0
 
# Discover artifact types attached to an image
oras discover ghcr.io/myuser/myimage:latest
 
# Copy between registries
oras copy ghcr.io/source/image:tag registry.example.com/dest/image:tag
 
# Inspect manifest
oras manifest fetch ghcr.io/myuser/myartifact:v1.0
 
# Resolves digest of the target artifact
oras resolve ghcr.io/myuser/myartifact:v1.0

Attach artifacts to existing images

# Attach an SBOM to an existing image
oras attach ghcr.io/myuser/myimage:latest \
  --artifact-type application/vnd.cyclonedx \
  sbom.json:application/json
 
# Discover what's attached
oras discover ghcr.io/myuser/myimage:latest

Authentication

oras login ghcr.io -u USERNAME --password-stdin
oras logout ghcr.io

Use cases

Distributing Helm charts, OPA policies, Wasm modules
Storing SBOMs and signatures alongside container images
Binary distribution via OCI registries
Config and artifact versioning with registry semantics

Knowledge Base

Explorer

oras

ORAS

Basic usage

Attach artifacts to existing images

Authentication

Use cases

Graph View

Table of Contents