Artifact Registries
The artifact registry allows for the packaged components endorsed by the CNOE community to be signed, accessible, and traceable for its users. By storing the list of components in an OCI registry or Git repository, the CNOE packaging framework will be able to deal with versioned and compatible artifacts that have already been tested and verified in working together. This also allows the combination of the registry and the packaging mechanism to undergo secure software supply chain (SSSC) best practices to further increase the level of confidence in leveraging these tools by the CNOE users.
- Canonical location for durable long term artifact storage.
- Catalog + metadata about artifacts. Used for discovery of artifacts.
- Can be used in conjunction with Role Based Access Control (RBAC) to limit access to artifacts.
- Should be versioned and is often immutable
- Often used with static analysis tools to verify artifacts are free from known vulnerabilities.