OrbitalRegSelf-hosted artifact registry

42 package formats, built-in CVE / license scanning, retention, governance, and supply-chain hardening — in one binary.

42 package formats

Maven, npm, PyPI, Docker / OCI, NuGet, Hex, Cargo, Go modules, Terraform registries, Helm, Conda, RubyGems, and 28 more — uploaded, mirrored, and proxied through one API.

All formats →

🛡

CVE + license scanning

Every uploaded artifact is scanned by Trivy / Grype / OSV.dev / Syft. Findings feed automatic quarantine and per-project license policies. The same gate gates promotions in CI.

How scanning works →

🤝

GitOps + Terraform

A Kubernetes operator and a Terraform provider drive the entire governance surface — projects, repositories, retention policies, security blocks, webhook subscriptions — from your existing change-management flow.

Operator →

🚀

GitLab CI components

Six battery-included CI components cover upload, scan-and-promote, and block-list-check workflows. Combined with OIDC token exchange, your pipelines never store a long-lived PAT.

CI catalog →

🔐

Sigstore + cosign

First-class verifier for Sigstore keyless signatures. Bring your own Fulcio root or use the embedded public-good chain. Trust policies are CRUD-managed in the admin console or via Terraform.

Trust policies →

🛟

Backup + DR built in

Postgres-as-CloudNativePG with PITR + 30-day retention out of the box. A weekly verification job restores the latest backup into an ephemeral cluster and runs a smoke suite. Restoring is a runbook, not a research project.

DR runbook →

What is OrbitalReg?

OrbitalReg is an open-source artifact registry that ships everything an enterprise platform team needs to host packages safely:

One binary, one Helm chart. Postgres, Redis, S3-compatible storage, the API, and the SPA frontend are all the dependencies you provision. Everything else — scanning, governance, signing — is built in.
Single-tenant. Each deployment is one customer. Multi-tenant workloads go through projects, not separate clusters.
Air-gappable by default. A fresh install starts with egress blocked — webhooks, OSV, telemetry, Rekor — until an admin whitelists each integration explicitly.
No vendor lock-in. Storage backends, identity providers, scanners, and notification channels are swappable. The wire format for every external touchpoint is documented under Reference.

If you've used Artifactory, Sonatype Nexus, or Cloudsmith and wanted something less SaaS-flavoured and more "fits-in-a-namespace", OrbitalReg is built for that shape.

Where to start

If you want to…	Go to
Get a registry running locally in five minutes	Quickstart
Deploy to a real Kubernetes cluster	Installation
Understand the storage / scanning / governance model	Architecture
Manage projects from GitOps	Kubernetes operator
Manage projects from Terraform	Terraform provider
Wire OrbitalReg into a GitLab pipeline	GitLab CI components
Recover from a Postgres / S3 / cluster loss	Disaster recovery
Map OrbitalReg to ISO 27001 Annex A controls	Compliance
Report a security vulnerability	Security
Review the EULA, terms of service, or privacy policy	Legal
See what changed in the latest release	Release notes

Source

The code lives at github.com/orbitalreg/orbital-enterprice. Issues, RFCs, and the product roadmap live in that repo. Documentation PRs that touch this site land in docs-site/; everything else lives under docs/.