distribution - "The Registry is a stateless, highly scalable server-side application that stores and lets you distribute container images and other content. The Registry is open-source, under the permissive Apache license." The reference implementation of the OCI Distribution Specification. Written in Go. You can find a lot of helpful information at the Distribution website.
Registry, an open source implementation for storing and distributing container images and other content, has been donated to the CNCF. Registry now goes under the name of Distribution, and the documentation has moved to distribution project.
oci-registry - an implementation of the OCI Registry spec with filesystem and S3 storage back-ends.
Pull-through cache for any registry (not just docker.io), two storage back-ends, and a small footprint. May or may not be OCI Distribution Spec conformant.
harbor stands as an open-source registry, safeguarding artifacts through policies and role-based access control. It ensures that images undergo scanning to eliminate vulnerabilities and are signed as trusted. As a CNCF-graduated project, Harbor guarantees compliance, performance, and interoperability, enabling you to consistently and securely manage artifacts across cloud-native compute platforms such as Kubernetes and Docker.
Artifact Hub serves as a web-based platform facilitating the discovery, installation, and publication of packages and configurations for Cloud Native environments.
The challenge of discovering artifacts for CNCF projects can be daunting. The proliferation of individual artifact hubs for each project not only duplicates efforts but also fragments the user experience for artifact consumers. Artifact Hub addresses this by offering a unified platform accessible to all CNCF projects, streamlining the artifact discovery process and ensuring a cohesive experience for consumers.
You have the option to utilize the official CNCF Artifact Hub at artifacthub.io or easily install it using the Artifact Hub Helm Chart, available at artifact-hub.
Nexus Repository supports Docker registries with the Docker repository and OCI Image format for hosted and proxy repositories. You can expose these repositories to the client-side tools directly or as a repository group, which is a repository that merges and exposes the contents of multiple repositories in one convenient URL. The Nexus general artifact management solution for multiple package systems like Helm Charts, Java/Maven, Go, PyPi, NpM, NuGet, R, RubyGems, Yum, or raw artifacts.
JFrog Artifactory is a comprehensive solution for storing and overseeing all your artifacts, binaries, packages, files, containers, and components essential for your software supply chain.
As the central hub for DevOps, JFrog Artifactory seamlessly integrates with your existing tools and processes, enhancing automation, ensuring integrity, and fostering best practices throughout your workflow.
ChartMuseum is an open-source Helm Chart Repository server written in Go (Golang), with support for cloud storage backends, including Google Cloud Storage, Amazon S3, Microsoft Azure Blob Storage, Alibaba Cloud OSS Storage and Openstack Object Storage.
Docker Hub is the world's first registry service to create, manage, and deliver your team's container applications. Docker Hub is an online service that includes a registry for Docker images and repositories. The registry is divided into a public and a private part. In the public section, any user can upload their self-created images and make them available to others. Additionally, there are official images, such as those from Linux distributors. In the private section of Docker Hub, users can upload their Docker images, thus easily distributing them, for example, within a company, without them being publicly discoverable.
The Github Container registry stores container images within your organization or personal account and allows you to associate an image with a repository. You can choose whether to inherit permissions from a repository or set granular permissions independently of a repository. You can also access public container images anonymously. You can also store other package systems like RubyGems, npm, Maven/Gradle, and NUGET artifacts.
The Homebrew project hosts macOS and Linux bottles](https://docs.brew.sh/Bottles) on its platform :)
Azure Container Registry create, store, secure, scan, replicate, and manage container images and artifacts with a fully managed, geo-replicated instance of an OCI distribution. Establish cross-environment connections (e.g., Azure Kubernetes Service and Azure Red Hat OpenShift) and cross-service connections with Azure services such as App Service, Machine Learning, and Batch.
The Google Container Registry is describe as an evolution of Container Registry, Artifact Registry serves as the central interface through which your company can manage container images and language packages (such as Maven and npm). The product is fully integrated into Google Cloud's tools and runtimes and supports native artifact protocols. This allows it to be easily integrated into your CI/CD tools for setting up automated pipelines.
Amazon Elastic Container Registry (Amazon ECR) is a fully managed container registry that provides high-performance hosting, allowing you to reliably deploy application images and artifacts anywhere.
The mission of Quay is store your containers securely. Ensure your apps are stored privately, with access that you control. Quay is teamwork optimized, with powerful access controls. It use offen by Red Hat based project like podman or RKT.
skopeo - "Work with remote image registries - retrieving information, images, signing content."
crane - "A tool for interacting with remote images and registries. You can try out a web version of crane here"
krane - "A drop-in replacement for crane that supports common Kubernetes-based workload identity mechanisms."
regclient - "Docker and OCI Registry Client in Go and tooling using those libraries."
A client interface to interact with registries: inspect images w/o pulling, list repository's tags, list registry's repositories (if supported), efficiently copy images between repositories, import/export OCI and Docker images, etc. Seems to be written from scratch with just a few dependencies.
ORAS - "Push and pull OCI Artifacts to and from OCI Registries."
Since the invention of OCI registries, people have been (ab)using them to store non-container things (Helm charts, OPA policies, and even video files can be stored this way). The modern registries are evolving as generic artifact stores, and the ORAS project provides a way to push and pull OCI Artifacts (read arbitrary files) to and from OCI Registries. The project consists of a CLI (oras) and libraries (Go, Python).
Docker Hub Tool - "Docker Hub experimental CLI tool."
A CLI tool for interacting with the Docker Hub. Get information about your images from the terminal. Docker's experiment to build a Docker Hub CLI tool. The intention of this project is to get user feedback and then to add this functionality to the Docker CLI itself.
Helm is a package manager tailored for Kubernetes environments, streamlining the deployment process of applications and services within Kubernetes clusters. Its primary advantage lies in simplifying the orchestration of complex deployments, particularly those that are highly repeatable or needed across diverse scenarios. By providing a structured approach to managing Kubernetes manifests and configurations, Helm empowers users to efficiently package, version, and deploy their applications, fostering consistency and scalability across Kubernetes deployments.
Trivy emerges as a leading all-in-one open-source security scanner renowned for its reliability, speed, and user-friendly interface. With Trivy, users can effortlessly uncover vulnerabilities, pinpoint Infrastructure as Code (IaC) misconfigurations, conduct SBOM discovery, perform Cloud scanning, and address Kubernetes security risks, among other critical security tasks. Its popularity stems from its comprehensive feature set and seamless usability, making it a go-to solution for security professionals and developers seeking to fortify their systems against potential threats.
Grype stands out as an indispensable vulnerability scanner designed specifically for analyzing container images and filesystems, delivering robust security assessments to identify and mitigate potential risks efficiently. Leveraging its capabilities, users gain actionable insights into vulnerabilities present within their containerized environments, ensuring enhanced security posture and proactive risk management.
Syft, renowned as a potent SBOM (software bill of materials) tool, excels in providing comprehensive insights into container images and filesystems, empowering users with invaluable visibility into software dependencies and vulnerabilities. Moreover, its seamless integration with the docker CLI as the sbom-cli-plugin further enhances its accessibility and usability within containerized environments.
Cosign presents a comprehensive array of functionalities, ranging from its pioneering 'Keyless signing' feature supported by the Sigstore public good Fulcio certificate authority and Rekor transparency log, to its versatile support for Hardware and KMS signing, seamless integration with cosign-generated encrypted private/public keypairs for signing, robust Container Signing capabilities, secure Verification, and Storage in an OCI registry, alongside flexibility for users to employ their own PKI solutions.
The notary client and server leverage The Update Framework (TUF), a robust and secure framework designed to address the challenges of software distribution and updates. Rooted in a strong foundation of security principles, TUF provides a comprehensive solution for ensuring the integrity and authenticity of software packages throughout their lifecycle. By implementing TUF within the notary client and server, users benefit from a proven, standardized approach to securing software distribution and safeguarding against various threats such as tampering, supply chain attacks, and unauthorized modifications.
OpenPubkey introduces a groundbreaking protocol that harnesses the capabilities of OpenID Providers (OPs) to establish secure bindings between identities and public keys. By extending OpenID Connect (OIDC), OpenPubkey facilitates the inclusion of user- or workload-generated public keys, empowering identities to authenticate and sign messages or artifacts within the OIDC ecosystem. This innovative approach enhances security and trust, enabling seamless integration of identity management with cryptographic operations and fostering a more robust foundation for secure communication and transactions.
In 2023, Docker Inc. announced their adoption of the OpenPubKey project to bolster their Secure Build Pipeline Solution. This strategic move underscores their commitment to enhancing security within their ecosystem by leveraging the capabilities of OpenPubKey to fortify identity management and cryptographic operations throughout the build pipeline.