Package formats
OrbitalReg supports 40+ package formats across every major language and platform ecosystem. Each format has:
- A native HTTP API matching the upstream tool's expectations (
mvn deploy,npm publish,pip install,docker push, …) - Local + remote + virtual repository modes
- Format-specific scanners hooked into the Detection pipeline
- A retention-policy grammar that understands the format's versioning conventions
The format catalogue covers four ecosystem groups:
Language ecosystems
| Format | Repository types | Detection adapters | Format reference |
|---|---|---|---|
| Maven | local, remote, virtual | Trivy, Grype, OSV, Syft | Maven |
| npm | local, remote, virtual | Trivy, Grype, OSV, Syft | npm |
| PyPI | local, remote, virtual | Trivy, Grype, OSV, Syft | PyPI |
| RubyGems | local, remote | Trivy, Grype, OSV | — |
| Cargo | local, remote | Trivy, OSV | — |
| Go modules | local, remote | OSV, govulncheck | — |
| NuGet | local, remote | Trivy, Grype, OSV | — |
| Hex (Elixir) | local, remote | OSV | — |
| Swift | local, remote | OSV | — |
| Dart / pub | local, remote | OSV | — |
| Composer (PHP) | local, remote | OSV | — |
| CRAN (R) | local, remote | — | — |
| Deno | local, remote | OSV | — |
Container + image + model ecosystems
| Format | Repository types | Detection adapters | Format reference |
|---|---|---|---|
| Docker / OCI | local, remote | Trivy, Grype, Syft | Docker / OCI |
| Helm | local, remote | Trivy | — |
| Conda | local, remote | OSV | — |
| Hugging Face | local, remote | Trivy | — |
| Ollama | local, remote | — | — |
| NVIDIA NIM / Skills | local, remote | — | — |
OS / system packages
| Format | Repository types | Detection adapters | Format reference |
|---|---|---|---|
| Debian | local, remote | Trivy, Grype | — |
| RPM | local, remote | Trivy, Grype | — |
| Alpine APK | local, remote | Trivy, Grype | — |
| Homebrew | local, remote | — | — |
| Nix | local, remote | — | — |
| OPKG (OpenWrt) | local | Trivy | — |
IaC / build / tools
| Format | Repository types | Detection adapters | Format reference |
|---|---|---|---|
| Terraform registry | local, remote | Trivy IaC | — |
| Argo Workflows | local, remote | — | — |
| Kustomize | local, remote | — | — |
| OPA bundles | local, remote | — | — |
| Vagrant | local | — | — |
| Bazel | local | OSV | — |
| Conan | local | OSV | — |
| Cocoapods | local | OSV | — |
| Puppet Forge | local | — | — |
| Chef Supermarket | local | — | — |
| Bower | local | — | — |
| JetBrains Marketplace | local | — | — |
| VSIX (VS Code) | local | — | — |
| P2 (Eclipse) | local | — | — |
VCS proxies
| Format | Notes |
|---|---|
| Git LFS | Pass-through, content-addressable |
| Generic VCS | Read-through proxy for go get & co. |
| Generic blob | Content-addressable raw artifact store (/api/v1/artifacts/...) |
Promotion across formats
Promotion is format-aware. A Maven artifact promoted from staging to prod-maven carries its POM, sources jar, and signature blocks together; a Docker image promotion preserves the manifest list. Each format's promotion behaviour is detailed in its format-specific page.
Adding a new format
The format-adapter contract is documented in PACKAGE-FORMATS-ROADMAP.md. A new adapter is roughly 200–800 lines of Go plus an integration-test suite. The integration harness in tests/integration/ covers all shipped formats and runs in CI on every PR that touches the format layer.