Inferensys

Glossary

ORAS

ORAS (OCI Registry as Storage) is a command-line tool and Go library that extends container registries to manage any OCI-compliant artifact, enabling the push, pull, and discovery of model weights, SBOMs, and other arbitrary content types.
Developer building agentic RAG system, retrieval pipeline diagram on laptop, technical workspace with notes.
OCI REGISTRY AS STORAGE

What is ORAS?

ORAS is the standard command-line tool and library for managing arbitrary content types in OCI-compliant registries, extending their use beyond container images to model weights, SBOMs, and other artifacts.

ORAS (OCI Registry As Storage) is a command-line utility and Go library that enables the push, pull, and discovery of arbitrary content types to and from registries compliant with the Open Container Initiative (OCI) Distribution Specification. It treats a standard container registry as a generic, content-agnostic artifact store, allowing MLOps engineers to version and distribute model weights, datasets, and Software Bill of Materials (SBOMs) using the same infrastructure that manages container images.

ORAS operates by packaging non-container content into OCI Artifacts, which are defined by a manifest referencing content-addressable layers. The tool supports keyless signing via cosign integration, attaching attestations and signatures directly to artifacts for tamper-proof provenance. By leveraging existing registry authentication and immutable tag mechanisms, ORAS establishes a single source of truth for model integrity within air-gapped and sovereign infrastructure environments.

OCI Artifact Management

Key Features of ORAS

ORAS (OCI Registry As Storage) extends container registries into generic artifact stores, enabling the push, pull, and discovery of arbitrary content types like model weights and SBOMs using the OCI Distribution Specification.

01

OCI-Compliant Artifact Distribution

ORAS leverages the Open Container Initiative (OCI) Distribution Specification to manage non-container artifacts. This means you can store model weights, SBOMs, Helm charts, and WASM modules in any standard container registry. By using the same infrastructure for all artifacts, teams eliminate the need for separate storage silos and unify their supply chain tooling. The tool handles the packaging of arbitrary files into OCI-compliant manifests and layers, ensuring compatibility with existing registry authentication and authorization mechanisms.

02

Content-Addressable Storage with Digests

Every artifact pushed with ORAS is identified by a cryptographic digest (SHA-256), not just a mutable tag. This provides content-addressable storage, where the address of the artifact is derived from its content. Key benefits include:

  • Tamper-proofing: Any alteration to the artifact changes its digest, immediately breaking references.
  • Deduplication: Registries automatically deduplicate identical layers across artifacts, saving storage.
  • Reproducibility: A specific digest always resolves to the exact same bytes, enabling deterministic deployments and audit trails.
03

Artifact Referencing and Discovery

ORAS implements the OCI Referrers API, which allows you to establish typed relationships between artifacts. For example, you can attach an SBOM, a vulnerability scan result, or a Cosign signature directly to a model artifact in the registry. This creates a queryable graph of supply chain metadata. A user can discover all attestations and related objects for a given model digest without needing a separate metadata database, enabling in-registry provenance tracking.

04

Copy and Distribution Commands

ORAS provides powerful commands for moving artifacts between registries without local storage. The oras copy command performs a registry-to-registry transfer, pulling manifests and blobs from a source and pushing them to a destination. This is critical for:

  • Air-gapped deployments: Copying verified models from an internet-connected staging registry to a disconnected production registry.
  • Promotion workflows: Moving an artifact from a development registry to a production registry after passing all policy checks.
  • Mirroring: Replicating artifacts across geographically distributed registries for low-latency access.
05

Library and CLI Integration

ORAS is available as both a command-line interface (CLI) and a Go library. The CLI is designed for human operators and CI/CD pipelines, offering intuitive commands like oras push, oras pull, oras attach, and oras discover. The Go library allows developers to embed OCI artifact management directly into custom tools and platforms. This dual approach means infrastructure teams can script artifact workflows while platform engineers build native registry interactions into their MLOps and DevSecOps systems.

06

Secure Supply Chain Foundation

ORAS serves as the foundational transport layer for Sigstore and SLSA compliance in AI supply chains. When combined with Cosign, artifacts pushed via ORAS can be keylessly signed using workload identities. The resulting signatures are stored as referrer artifacts alongside the original content. This enables:

  • Deploy-time verification: Admission controllers can verify signatures before allowing a model to be loaded.
  • Non-repudiation: The signing identity is recorded in the Rekor transparency log, providing undeniable proof of origin.
  • Policy enforcement: Tools like Open Policy Agent (OPA) can query the referrer graph to enforce that only models with verified SBOMs and passing scan results are deployed.
ORAS EXPLAINED

Frequently Asked Questions

Clear, technical answers to the most common questions about the OCI Registry as Storage (ORAS) client and library for managing arbitrary artifacts in container registries.

ORAS (OCI Registry as Storage) is a command-line tool and Go library that extends the Open Container Initiative (OCI) Distribution Specification to manage arbitrary content types—such as machine learning model weights, Software Bill of Materials (SBOM) documents, and Helm charts—within standard container registries. It works by packaging non-container artifacts as OCI-compliant manifests and layers, then pushing, pulling, and discovering them using the same registry APIs designed for container images. Under the hood, ORAS serializes content into content-addressable blobs identified by their SHA-256 digest, creates a manifest that references those blobs, and optionally attaches the manifest to an existing image using an OCI Artifact Manifest or OCI Image Manifest. This allows teams to store model binaries, training datasets, and attestations alongside their serving container images in a unified, immutable registry, eliminating the need for separate artifact storage systems.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.