v1.0.1 is out Security & robustness release — plus Go, npm & Maven registries fresh on main. Release notes
v1.0.1 One binary. Eleven protocols. Zero outbound calls.

Every artifact
your team ships,
one container.

OmniRepo is a self-hosted registry that speaks OCI, RPM, APT, PyPI, Helm, Go, npm, Maven, Git, S3 & raw blobs natively — with built-in Trivy vulnerability scanning, project-scoped RBAC, and an air-gap invariant enforced in CI. Drop it on a host, point your build tools at it, done.

docker run omnirepo Star on GitHub # Apache-2.0 · single Docker image · linux/amd64
~ / omnirepo demo
Speaks every major artifact protocol — natively, not proxied
OCI / Docker/v2/*
RPM / YUMrepomd.xml
APT / DebianInRelease
PyPIPEP 503/691/694
Helmindex.yaml · .tgz
GitSmart HTTP · go-git
Go proxynewGOPROXY · @v/list
npmnewpackument · publish
Mavennewmvn deploy · gradle
S3SigV4 · multipart
Raw blobsHTTP · digest hdrs
REST APIOpenAPI 3.1 · /api/v1
01.5  —  ARCHITECTURE

How OmniRepo slots into your stack.

One container sits between what your team builds and everything that consumes those artifacts. No agents, no sidecars, no shared file systems.

CI / CD runners gitlab · github · drone Dev machines docker · pip · twine Package builders rpm · deb · npm · mvn OmniRepo single container docker rpm deb pypi helm git s3 raw go npm maven ● Trivy scans on push SQLite · WAL · FTS5 Prod & staging apt · yum · docker pull Air-gap mirror pull-through · admin sync Dev / CI consumers pip · helm · go get push pull
push paths (build → OmniRepo) pull paths (OmniRepo → consumer)
◆  —  SECURITY SCANNING

Every artifact, scanned by Trivy. On the way in, and on the way out.

Trivy ships inside the container with an air-gap-baked vulnerability database. RPM cpio payloads and PyPI wheel transitive deps are unpacked before the scan — so Trivy sees real filesystem entries, not just metadata. Per-repo gates refuse pulls of artifacts whose latest scan found findings at or above your threshold.

Included · no license key · no external service

Trivy v0.69, embedded

platform/docker/images/nginx:1.27 ·scan #8241 BLOCKED on pull
Scanner  
trivy 0.69.3 · db 2026-04-16 · offline · unpacked layers: 7
4
Critical
7
High
11
Medium
14
Low
CriticalCVE-2024-6387 · openssh-server · remote code exec
CriticalCVE-2024-21626 · runc · container escape
CriticalCVE-2024-24790 · golang · net/netip bypass
HighCVE-2024-47175 · cups-browsed
HighCVE-2024-24785 · golang
✗ pull refused · repo docker-images has block_on_severity = HIGH
--skip-db-update --offline-scan cpio unpack wheel deps SBOM on push
Block on severity

Per-repo pull gates

Set block_on_severity to critical, high, medium or low. Pulls of unscanned-or-vulnerable artifacts return 403.

Unpacked, not just headers

Deep scanning

RPM cpio payloads walked. PyPI wheel transitive deps resolved. OCI layers fully extracted. Trivy sees real filesystem trees, not artifact metadata.

Air-gap friendly

Baked DB + tarball updates

Ship with a vuln DB baked into the image. Refresh via Admin → Trivy DB — upload a tarball, or (if allowed) click to pull. Nothing phones home without you.

Async pool

Scans don't block pushes

Scan jobs run in a worker pool. Results are indexed in SQLite FTS5 — searchable by CVE ID, artifact, or project from the sidebar.

Scanned protocols
OCI layers RPM (cpio) DEB PyPI wheels Helm charts Raw blobs
01  —  PLATFORM

A focused alternative to Artifactory and Nexus.

One Go binary. One HTTP/HTTPS port. One mounted volume. Multiplex every build tool in your shop through a registry that's auditable, scanned, and project-scoped by default.

One router, every protocol

Every handler mounts as an http.Handler on the same chi router. No sidecars, no reverse proxy, no adapter glue. Same auth, same audit log, same storage primitives.

OCI pullGET /v2/platform/docker/images/manifests/latest
PyPI installGET /data-science/pypi/ml/simple/torch/
APT updateGET /platform/deb/stable/dists/bookworm/InRelease
npm publishPUT /platform/npm/js/mypkg
Git pushPOST /mobile-app/git/app-source.git/git-receive-pack
S3 PUTPUT /s3/my-bucket/dataset.parquet

Trivy-backed scanning

Embedded subprocess with an air-gap-baked DB. Per-repo gates refuse pulls above a severity threshold.

CriticalCVE-2024-6387
CriticalCVE-2024-21626
HighCVE-2024-47175
Medium+11 more

Unified content-addressed storage

A single SHA-256 blob tree underneath every protocol. No duplicates across repos; atomic renames; fsync'd parents.

model-artifacts (raw)10.0 GB
docker-images (docker)5.0 GB
jupyter-images (docker)3.0 GB
centos-packages (rpm)2.0 GB
ml-packages (pypi)512 MB
build-tools (deb)256 MB

Every action, auditable

Auth decisions, uploads, admin changes — all logged to SQLite plus an NDJSON mirror you can tail.

just nowadminauth.login.success
14s agoalicerepo.createdplatform/deb/qa-apt
2m agobobartifact.pushedtorch-2.4.whl
3m agosystemauth.login.failurewronguser
8m agoadmintls.cert.uploaded

API keys, not secrets

User-owned or project-owned. Prefix-indexed SHA-256. Shown exactly once.

Useromr_u_8d9r…12d
S3AKIA7X…P4Q24d
Projectomr_p_platform…1h

Project-scoped by default

Flat user / project / member model. Every artifact lives under a project; non-members get a 403.

platform— 3 repos, 4 members
data-science— 3 repos, 3 members
mobile-app— 2 repos, 2 members

SQLite FTS5 across everything

Full-text search across repos, artifacts, CVEs and packages — one WAL-mode database, one binary. Filter by Kind (repos · artifacts · CVEs), Severity, or Project.

OmniRepo global search showing CVE results filtered by "openssl"

Upstream mirror repos

Mirror APT, RPM, PyPI, and Helm upstreams into OmniRepo's local cache — with per-protocol allowlist filters and optional stored upstream credentials, encrypted at rest. Native clients pull from your host — not the internet. Triggered on demand from the UI, or by your existing scheduler hitting /sync.

pypi.org/simple → platform/pypi/pkg ● syncing
42 / 63 packages18.4 MB
charts.bitnami.com → platform/helm/charts ● done
2 charts · redis, memcached4.1 MB

Drift purge with admin guard

When an upstream removes a package, OmniRepo's mirror reflects it — drifted artifacts move to the trash (7-day retention, restorable). If a sync would purge more than 50% of a repo, OmniRepo blocks it and shows an admin-confirm dialog so a broken upstream can't accidentally wipe your cache.

platform/pypi/pkg · drift purged ● done · 6s
120 files synced · 3 drift-purged → trash
platform/rpm/el9 · BLOCKED ● 51% drift > threshold
Awaiting admin confirm · force_drift_threshold: true

Clone images from any registry

Pull a specific tag or digest from Docker Hub, GHCR, or Quay into a local repo. Cherry-pick what you need — no full mirror required.

src docker.io/library/nginx:1.27
dst platform/docker/images/nginx:1.27
✓ pulled 3 layers · 48.2 MB scan queued

Go, npm & Maven registries new

A GOPROXY module proxy for go get, an npm registry with native npm publish and immutable versions, and a full Maven layout for mvn deploy / Gradle. Landed on main right after v1.0.1 — shipping in the next tagged release.

export GOPROXY=https://host:8443/platform/go/modules
npm publish # republish of an existing version → 403
mvn deploy # artifacts + checksums + metadata

Copy-paste client snippets

Every repo page shows ready-to-use commands pre-filled with your host, project, and tag — docker pull, pip install, helm repo add, apt source lists, GOPROXY exports, .npmrc config, and Maven pom.xml blocks.

docker pull host:8443/
pip install --index-url https://…
helm repo add omnirepo https://…

Bootstrap from JSON

Seed users, projects, repos, and API keys from a single bootstrap.json on first boot. Fully automatable — no manual clicks.

{
  "super_admin": { },
  "projects": [],
  "repos": [],
  "api_keys": []
}

OpenAPI 3.1 + Swagger UI

Full REST API spec at /api/docs/. Explore endpoints, try requests, and generate client SDKs — all shipped inside the container.

GET /api/v1/projects/{name}/repos
POST /api/v1/projects/{name}/repos
01.5  —  WEB UI

A real dashboard.
Shipped inside the binary.

React 19 + shadcn/ui, embedded via go:embed. No extra container, no CDN, no third-party panel. Manage everything from one place — repos, scans, keys, S3 buckets, mirrors, and audit logs.

Dashboard · live data
OmniRepo dashboard with live storage, scan findings, and health cards
Docker repo · scan badges
Docker repository view showing pushed images with scan status and digests
Scan results · per-artifact
Per-artifact scan results page with severity counts and report links
Audit log · CSV / JSON export
Audit log view with timestamps, actors, actions, and outcomes
Global FTS5 search CLI snippets per repo S3 bucket browser Mirror sync history + drift Trash & restore Git file & blame viewers Incident-ID error envelopes Light & dark theme · responsive
02  —  SECURITY

Air-gap by default.
Enforced in CI.

No outbound HTTP from the binary without an explicit admin action. We assert it with make test-airgap on every PR — the binary boots in a sandboxed net namespace and must make zero outbound calls.

omnirepo (container)registry-1.docker.io
omnirepo (container)pypi.org / files
omnirepo (container)ghcr.io / aquasecurity
omnirepo (container)cdn.jsdelivr.net
admin clicks "Update"✓ allowTrivy DB refresh

No CDN. No telemetry. No phone-home.

Fonts embedded. Icons tree-shaken into the bundle. Swagger UI copied at build time. Trivy shipped with a baked DB. The binary makes zero outbound HTTP calls of its own — asserted in CI.

Argon2id, not bcrypt.

m=64MiB, t=3, p=4 for passwords. API keys are prefix-indexed SHA-256. Docker JWTs are HS256 with a per-install 32-byte secret. Sessions are 12h sliding cookies.

Hot-reloadable TLS.

Upload a PEM pair through Admin → TLS. The live listener swaps without restarting the server. Old certs archived for rollback.

Admin → Trivy Database Drag-and-drop tarball, or click Pull if the host is allowed outbound
OmniRepo Admin → Trivy Database panel showing baked-in DB version, age, size, upload area, and update history
03  —  INSTALL

Five minutes to first push.

Pull the image, mount a volume, open the web UI. On first boot OmniRepo lays out the data root, applies migrations, and mints a self-signed TLS cert.

1

Run the container

One HTTP port, one HTTPS port, one mounted volume. That's the whole deployment.

2

Log in as super-admin

Seed from bootstrap.json or rotate the temp password on first login. Argon2id, session cookies, 12h sliding TTL.

3

Create a project & repo

Repos live under projects. Pick a type — docker, rpm, deb, pypi, helm, go, npm, maven, raw, git, s3 — and point your build tool at it.

4

Push. Scan. Pull.

Artifacts land in the CAS tree. Trivy scans in a background pool. Gates block severity thresholds on pull.

$  quick start  ·  bash
# 1. Run it
docker run -d --name omnirepo \
  -p 8080:8080 -p 8443:8443 \
  -v /srv/omnirepo:/var/lib/omnirepo \
  ghcr.io/vladoportos/omnirepo:latest

# 2. Push an OCI image
docker login https://host:8443
docker tag nginx:latest \
  host:8443/platform/docker/images/nginx:latest
docker push host:8443/platform/docker/images/nginx:latest
  ✓ sha256:f3e4…  2.1 MB / 2.1 MB  pushed

# 3. Publish a Python wheel
twine upload --repository omnirepo dist/*.whl
  ✓ mypkg-1.2.0-py3-none-any.whl  scan: 0 CVE

# 4. Serve an APT repo (on the client)
echo "deb https://host:8443/platform/deb/stable/ bookworm main" \
  | sudo tee /etc/apt/sources.list.d/omnirepo.list
sudo apt update && apt install myapp
04  —  COMPARE

Focused where Artifactory is exhaustive.

OmniRepo is built for small-to-mid teams and air-gapped corporate environments. If you need federation and HA clustering, grab a commercial tool. If you need one pane of glass on a single host, read on.

  OmniRepo v1.0.1 Artifactory Nexus Repository Harbor
Single static binary● pure-Go, scratch○ JVM + WAR○ JVM◐ Go, but split
OCI / Docker● native /v2● native● native● native
RPM · APT · PyPI · Helm● all four, native● all four● all four○ OCI only
Go proxy · npm · Maven● native, on main● all three● all three
Git hosting● Smart HTTP
S3 API (SigV4)● gofakes3 + SigV4◐ via gateway
Built-in vulnerability scan● Trivy, baked DB● Xray (paid)◐ IQ Server (paid)● Trivy
Air-gap invariant in CI● make test-airgap
License● Apache-2.0◐ commercial◐ open core● Apache-2.0
05  —  BY THE NUMBERS

Small surface. Hard numbers.

1binary
Pure Go, FROM scratch. No CGo, no JVM, no sidecars.
11protocols
OCI · RPM · APT · PyPI · Helm · Go · npm · Maven · Git · S3 · raw — all on one router.
0outbound
Zero network calls without an explicit admin action. Asserted in CI.
6real clients in CI
dnf · apt · pip · helm · git · crane — driven against the running binary as conformance suites on every PR.
Open source · Apache-2.0

Fully open source, v1.0.1 shipped.

OmniRepo is open source under the Apache-2.0 license — the whole Go binary, web UI, and protocol handlers are on GitHub. The container image is free to self-host, forever. File a bug, request a protocol, or send a pull request — issues and contributions are open.

GitHub / Issues github.com/VladoPortos/omnirepo
06  —  FAQ

Questions you're probably about to ask.

Short, honest answers. If something's missing, open an issue on GitHub.

How do I get OmniRepo?
It's available now — v1.0.1 is the current release. Pull and run it: docker run -d -p 8080:8080 -p 8443:8443 -v /srv/omnirepo:/var/lib/omnirepo ghcr.io/vladoportos/omnirepo:latest — or pin ghcr.io/vladoportos/omnirepo:1.0.1 for reproducible deploys. Source code and releases are on GitHub; the install steps cover first-boot login.
Does it support npm, Go modules, or Maven?
Yes — all three landed on main right after v1.0.1 and ship in the next tagged release. You get an npm registry (packuments, tarballs, native npm publish, immutable versions), a GOPROXY module proxy (go get with GOPROXY pointed at OmniRepo), and a full Maven repository layout (mvn deploy / Gradle maven-publish with checksums and metadata). OCI/Docker, RPM, APT, PyPI, Helm, Git, S3, and raw are all in the current release.
What does it cost?
Nothing. OmniRepo is free to self-host, forever — open source under Apache-2.0. There's no paid tier, no "open core" trap, and no license server phoning home.
Is there a hosted / SaaS version?
No — and that's by design. Your artifacts are your supply chain; they stay on your infrastructure. OmniRepo is shipped as a single container you run wherever you want. One host, one docker run, your data never leaves your network.
Does it support SSO / LDAP / OIDC?
At launch: local accounts with Argon2id password hashing and session cookies. SSO (OIDC) and LDAP are on the roadmap for the release right after v1.0 — once the core protocol work is locked down and we can give enterprise auth the attention it deserves.
What hardware do I need?
One Linux host with Docker. CPU/RAM scale with scan concurrency, not artifact volume — a 2 vCPU / 4 GB box handles a small team comfortably. Disk scales with what you store. Image ships for linux/amd64; arm64 / Raspberry Pi support is on the roadmap for a follow-up release.
How do I back up the data?
Snapshot the mounted volume. OmniRepo stores artifacts as plain content-addressed files and metadata in a SQLite database with WAL — any filesystem-level or volume-snapshot backup works. No separate dump procedure, no custom tooling required. Restore is a directory copy.
Does it work in an air-gapped environment?
Yes — air-gap was a first-class requirement, not an afterthought. There is no telemetry, no update check, no license server, no crash reporter. The binary makes zero outbound HTTP calls of its own — we assert that on every PR with make test-airgap, which boots the binary in a sandboxed network namespace and fails if a single byte leaves. The only network egress that ever happens is when an admin clicks Update on the Trivy DB page, and even that is optional — you can drop a tarball onto disk instead.
How does OmniRepo compare to Artifactory / Nexus / Harbor?
One container versus a stack. OmniRepo speaks all the major protocols natively in one Go binary with SQLite storage — no Postgres, no Redis, no Minio, no Elastic. See the full breakdown in the compare table above.
Where do I report bugs or suggest features?
GitHub: github.com/VladoPortos/omnirepo/issues. The code is public and Apache-2.0 — open an issue for bugs or feature requests, or send a pull request.
Can I make a repo publicly readable without auth?
Yes — set public_read: true on any repo. Anonymous GET and HEAD requests are allowed so native clients (pip, apt, helm, docker pull) can pull without credentials. Writes always require an authenticated user or API key. Useful for serving packages to CI runners that don't carry tokens, or for public open-source mirrors.
How do I schedule mirror syncs? Is there a built-in scheduler?
Deliberately no. OmniRepo has no in-process cron, no internal timers, no time-based job firers. Sync is triggered only by (a) the Sync now button in the UI, or (b) an external scheduler hitting POST /api/v1/projects/<p>/repos/<type>/<repo>/sync. We made this call early on: the right scheduler for your environment is the one you already have — crontab, systemd timers, Kubernetes CronJob, GitLab schedules, Jenkins, Argo, whatever. Adding one inside OmniRepo would mean re-implementing all of those badly. A one-line crontab entry beats a scheduler goroutine + a cron parser + next-run state + UI surface every time.

Ship artifacts. Not sidecars.

Deploy OmniRepo on any Linux host with one docker run. Bring your build tools, bring your air-gap policy, bring your audit requirements.

Get the image Star on GitHub
# docker pull ghcr.io/vladoportos/omnirepo:latest · linux/amd64 · single container · Trivy DB baked in