A collection of definitions and terms used within this repository.
- Fingerprint
- Fully Qualified Artifact Reference
- OCI Annotations
- OCI Descriptor
- OCI Index
- OCI Manifest
- Registry
- Repo/Repository
- Repository Path
- SBoM
- Subject
- Tag
Artifacts are a generalization of how images are stored in an instance of the OCI Distribution Spec.
An OCI Image is a type of OCI Artifact.
When referencing artifacts, within a fully qualified reference, the artifact is right most element of the namespace, combined with the :tag.
Reference: OCI Artifacts
A short identifier of a given public key. Reference: Fingerprint
A key-value map that can be associated with OCI Descriptors and OCI Image manifests. OCI spec reference: OCI Annotations
A structure describing content, including the media type, a content-addressable digest, the size, and other properties. Descriptors are used to describe layers and configuration in a manifest. OCI spec reference: OCI Descriptor
A higher-level collection of image manifests, or other oci indexes, typically used to describe platform-specific (architecture and operating-system) images that can be identified collectively and referred to together. The specific image manifests are identified by modified descriptors with additional properties and restrictions. OCI Artifacts are another use-case for indexes where an OCI Index can reference a collection of artifacts, such as an image, a deployment chart, its SBoM and deployment configuration references. OCI spec reference: OCI Image Index
A description of an artifact. The manifest references optional configuration and blobs (layers) as content-addressable references (descriptors). Artifacts may be container images, helm charts or other artifact types that may be signed and stored in a registry. OCI spec reference: OCI Image Manifest
A registry is a collection of OCI Indexes and OCI Manifests for a specific org or entity.
A unique registry may be uniquely identified with a domain or a root namespace:
A repo/repository refers to the unique location, within a registry.
When referring to a repo, the registry is assumed, based on the context.
A path, within the unique registry org, up to, but not including the repository (repo) name.
In order to deploy an artifact, a fully qualified reference is required.
This includes the unique registry, namespace, repo and tag.
Represents a generic, non-project specific, reference to a Software Bill of Materials. Similar to the automotive industry which tracks the components that make up a vehicle, the SBoM may contain the list of packages used within the artifact, the compiler and version used to build the artifact and other relevant information. Additional reference: Software bill of materials
The data that is signed.
Information that represents a version, or platform specific version of the artifact. E.g.:
example.com/org/namespace/artifact:tagorg.example.com/namespace/artifact:tagorg.example.com/databases/somedb:v1(multi-arch tag)org.example.com/databases/somedb:v1-alpine(platform specific tag)org.example.com/databases/somedb:v1-windows(platform specific tag)org.example.com/databases/somedb:v1-helm(helm chart to deploy a platform specific image)