ORAS (OCI Registry As Storage) is a command-line utility and Go library that enables the push, pull, and discovery of arbitrary content types to and from registries compliant with the Open Container Initiative (OCI) Distribution Specification. It treats a standard container registry as a generic, content-agnostic artifact store, allowing MLOps engineers to version and distribute model weights, datasets, and Software Bill of Materials (SBOMs) using the same infrastructure that manages container images.
Glossary
ORAS

What is ORAS?
ORAS is the standard command-line tool and library for managing arbitrary content types in OCI-compliant registries, extending their use beyond container images to model weights, SBOMs, and other artifacts.
ORAS operates by packaging non-container content into OCI Artifacts, which are defined by a manifest referencing content-addressable layers. The tool supports keyless signing via cosign integration, attaching attestations and signatures directly to artifacts for tamper-proof provenance. By leveraging existing registry authentication and immutable tag mechanisms, ORAS establishes a single source of truth for model integrity within air-gapped and sovereign infrastructure environments.
Key Features of ORAS
ORAS (OCI Registry As Storage) extends container registries into generic artifact stores, enabling the push, pull, and discovery of arbitrary content types like model weights and SBOMs using the OCI Distribution Specification.
OCI-Compliant Artifact Distribution
ORAS leverages the Open Container Initiative (OCI) Distribution Specification to manage non-container artifacts. This means you can store model weights, SBOMs, Helm charts, and WASM modules in any standard container registry. By using the same infrastructure for all artifacts, teams eliminate the need for separate storage silos and unify their supply chain tooling. The tool handles the packaging of arbitrary files into OCI-compliant manifests and layers, ensuring compatibility with existing registry authentication and authorization mechanisms.
Content-Addressable Storage with Digests
Every artifact pushed with ORAS is identified by a cryptographic digest (SHA-256), not just a mutable tag. This provides content-addressable storage, where the address of the artifact is derived from its content. Key benefits include:
- Tamper-proofing: Any alteration to the artifact changes its digest, immediately breaking references.
- Deduplication: Registries automatically deduplicate identical layers across artifacts, saving storage.
- Reproducibility: A specific digest always resolves to the exact same bytes, enabling deterministic deployments and audit trails.
Artifact Referencing and Discovery
ORAS implements the OCI Referrers API, which allows you to establish typed relationships between artifacts. For example, you can attach an SBOM, a vulnerability scan result, or a Cosign signature directly to a model artifact in the registry. This creates a queryable graph of supply chain metadata. A user can discover all attestations and related objects for a given model digest without needing a separate metadata database, enabling in-registry provenance tracking.
Copy and Distribution Commands
ORAS provides powerful commands for moving artifacts between registries without local storage. The oras copy command performs a registry-to-registry transfer, pulling manifests and blobs from a source and pushing them to a destination. This is critical for:
- Air-gapped deployments: Copying verified models from an internet-connected staging registry to a disconnected production registry.
- Promotion workflows: Moving an artifact from a development registry to a production registry after passing all policy checks.
- Mirroring: Replicating artifacts across geographically distributed registries for low-latency access.
Library and CLI Integration
ORAS is available as both a command-line interface (CLI) and a Go library. The CLI is designed for human operators and CI/CD pipelines, offering intuitive commands like oras push, oras pull, oras attach, and oras discover. The Go library allows developers to embed OCI artifact management directly into custom tools and platforms. This dual approach means infrastructure teams can script artifact workflows while platform engineers build native registry interactions into their MLOps and DevSecOps systems.
Secure Supply Chain Foundation
ORAS serves as the foundational transport layer for Sigstore and SLSA compliance in AI supply chains. When combined with Cosign, artifacts pushed via ORAS can be keylessly signed using workload identities. The resulting signatures are stored as referrer artifacts alongside the original content. This enables:
- Deploy-time verification: Admission controllers can verify signatures before allowing a model to be loaded.
- Non-repudiation: The signing identity is recorded in the Rekor transparency log, providing undeniable proof of origin.
- Policy enforcement: Tools like Open Policy Agent (OPA) can query the referrer graph to enforce that only models with verified SBOMs and passing scan results are deployed.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Clear, technical answers to the most common questions about the OCI Registry as Storage (ORAS) client and library for managing arbitrary artifacts in container registries.
ORAS (OCI Registry as Storage) is a command-line tool and Go library that extends the Open Container Initiative (OCI) Distribution Specification to manage arbitrary content types—such as machine learning model weights, Software Bill of Materials (SBOM) documents, and Helm charts—within standard container registries. It works by packaging non-container artifacts as OCI-compliant manifests and layers, then pushing, pulling, and discovering them using the same registry APIs designed for container images. Under the hood, ORAS serializes content into content-addressable blobs identified by their SHA-256 digest, creates a manifest that references those blobs, and optionally attaches the manifest to an existing image using an OCI Artifact Manifest or OCI Image Manifest. This allows teams to store model binaries, training datasets, and attestations alongside their serving container images in a unified, immutable registry, eliminating the need for separate artifact storage systems.
Related Terms
ORAS bridges model artifacts and standard container registries. These related concepts define the security, integrity, and distribution mechanisms that make OCI-based model storage enterprise-ready.
Model Bill of Materials (MBOM)
An extension of the SBOM concept to machine learning, cataloging every component of a model's supply chain. An MBOM stored as an OCI Artifact via ORAS includes:
- Training dataset identifiers and provenance
- Preprocessing code and hyperparameters
- Model architecture and framework dependencies
- Evaluation results and fairness metrics ORAS enables pushing an MBOM alongside model weights to the same registry, creating a single source of truth for auditors.
Attestation
A cryptographically signed statement asserting a verifiable fact about a software artifact. In the ORAS context, attestations are stored as separate OCI Artifacts linked to a model manifest. Common attestation types include:
- Provenance attestations: who built the model, when, and from what source
- Vulnerability scan attestations: results of security scanning
- Test result attestations: evaluation metrics and benchmark scores ORAS enables pulling these attestations alongside model weights for automated policy enforcement.
Immutable Tag
A registry feature preventing a specific tag from being overwritten. When combined with ORAS workflows, immutable tags ensure that a reference like my-model:v1.0 always resolves to the exact same content digest. This property is critical for:
- Reproducible deployments: the same tag always pulls identical weights
- Audit compliance: no possibility of silent model swapping
- Supply chain integrity: prevents an attacker from replacing a benign model with a backdoored version under the same tag
Content Trust
A security mechanism using digital signatures to verify both the integrity and publisher of an artifact. ORAS integrates with Docker Content Trust and Sigstore to enable:
- Publisher verification: confirming a model came from an authorized team
- Integrity verification: detecting any tampering since signing
- Policy enforcement: registries or admission controllers can reject unsigned models This is the foundational security primitive that transforms a container registry into a trusted model distribution channel.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us