Inferensys

Glossary

OCI Artifact

An OCI artifact is a generic term for any arbitrary content type stored in an OCI-compliant registry using the OCI distribution specification, extending the registry beyond container images to store things like Helm charts or SBOMs.
Data engineer managing feature store on laptop, feature definitions visible, casual data engineering session.
DEFINITION

What is an OCI Artifact?

An OCI Artifact is any arbitrary content type stored and distributed using the Open Container Initiative (OCI) Distribution Specification, extending registries beyond container images to manage Helm charts, SBOMs, and other cloud-native assets.

An OCI Artifact is a generic, content-agnostic object stored in an OCI-compliant registry using the OCI Distribution Specification APIs. While the specification originally targeted container images, the artifacts extension defines a standardized method for pushing, pulling, and discovering any content type—such as Helm charts, Software Bill of Materials (SBOMs) , or SLSA Provenance attestations—by referencing a unique artifactType field in the manifest.

This mechanism transforms a container registry into a generic content-addressable storage system for cloud-native supply chain assets. By leveraging existing registry infrastructure, OCI Artifacts enable Cosign signatures and Image Attestations to be stored alongside the images they verify, eliminating the need for separate storage backends and ensuring cryptographic co-location of related objects within a single retention policy scope.

Beyond Container Images

Key Characteristics of OCI Artifacts

OCI Artifacts extend the distribution specification to manage any arbitrary content type with the same pull, push, and security primitives used for container images.

01

Content Agnosticism

The OCI distribution specification decouples the storage and transport mechanism from the content type. An OCI Artifact is defined by its media type (e.g., application/vnd.cncf.helm.chart.config.v1+json) rather than a fixed image format. This allows registries to store Helm charts, SBOMs, SLSA Provenance attestations, WebAssembly modules, and OPA bundles as first-class objects. The registry treats all artifacts uniformly for operations like garbage collection and replication, while clients negotiate content handling based on the declared media type.

02

Referrers API for Supply Chain Linking

A critical extension enabling artifact graphs. The Referrers API allows clients to query an artifact's linked objects—such as finding all Cosign signatures or SBOM attestations for a specific image digest. This creates a queryable, in-registry graph:

  • Signatures: Link a cryptographic signature to the signed manifest
  • SBOMs: Attach a software bill of materials to the exact image it describes
  • Vulnerability scans: Reference scan results alongside the scanned artifact This eliminates out-of-band metadata stores and keeps provenance data co-located with the artifact.
03

Content-Addressable Integrity

Every OCI Artifact is addressed by a SHA256 digest derived from its manifest content. This provides immutable, tamper-evident identification. Once pushed, the digest is a permanent fingerprint; any modification produces a new digest. This property is foundational for:

  • SLSA Level 3 compliance: Non-forgeable build provenance
  • Binary Authorization: Deploy-time policy enforcement based on exact digests
  • Reproducible builds: Verifying that rebuilds produce identical digests Tags remain mutable pointers, but security-critical workflows pin to digests.
04

OCI Index for Multi-Platform Artifacts

An OCI Image Index (or manifest list) is itself an OCI Artifact that references multiple platform-specific manifests under a single tag. This enables:

  • Multi-arch container images: One tag resolves to linux/amd64, linux/arm64, and windows/amd64 variants
  • Multi-artifact bundles: A single index can group a container image, its SBOM, and its signature as a deployable unit
  • Fat manifest patterns: Grouping related artifacts for atomic promotion across environments The index is a JSON document containing an array of descriptors, each with a media type, digest, size, and optional platform constraints.
05

Push/Pull Parity with Container Images

OCI Artifacts use the identical push, pull, mount, and delete workflows as container images. Tools like ORAS (OCI Registry As Storage) extend this to arbitrary content:

  • oras push uploads any file with a custom media type
  • oras pull retrieves artifacts by digest or tag
  • Cross-registry copy: skopeo copy and crane copy replicate artifacts between registries This parity means existing registry infrastructure—authentication, RBAC, geo-replication, garbage collection—works without modification for non-image artifacts.
06

Artifact Type Filtering and Discovery

The artifactType field in the OCI manifest distinguishes artifact categories for registry-side filtering. Registries like Harbor and cloud providers expose this in their UI and API, allowing users to:

  • Filter views: Show only Helm charts or only SBOMs
  • Enforce policies: Apply different retention rules to signatures vs. container images
  • Trigger automation: Fire webhooks when a new attestation is attached This metadata enables artifact-aware registry management without parsing the artifact content itself.
OCI ARTIFACT CLARIFICATIONS

Frequently Asked Questions

Addressing common technical questions about the storage, management, and security implications of arbitrary content types within OCI-compliant registries.

An OCI Artifact is any arbitrary content type stored in an OCI-compliant registry using the OCI Distribution Specification, extending the registry's utility far beyond standard container images. While the OCI Image Specification strictly defines how container filesystem layers and runtime configurations are packaged, the distribution spec defines the API for pushing and pulling content-addressable blobs. By leveraging the artifactType field in the manifest, registries can now natively host Helm charts, SBOMs, SLSA Provenance attestations, and Cosign signatures. This mechanism transforms a private registry into a generic, content-agnostic store for any cloud-native asset, enabling a single content trust policy to govern all deployable artifacts within a sovereign infrastructure.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.