40+ package formats
Maven, npm, PyPI, Docker, Helm, Cargo, RubyGems, NuGet, Conan, Nix, Argo Workflows, Deno, Homebrew, Ollama, Kustomize, OPA Bundles — and 25 more.
One unified API surface for all of them.
Self-hosted artifact registry · Established 2024
Your hardware. Your data. Your terms. OrbitalReg is the self-hosted artifact registry for teams who need to own what they ship — 40+ formats, native CVE detection, signature-verified pulls, and first-class air-gap mode, all in one Go binary.
Trust signals
Drop-in migration
Importers for every major registry.
Open-source roots
Postgres · MinIO · Sigstore · Helm.
SOC 2 Type II
Audit in progress.
ISO 27001
Controls mapped to product.
EU sovereignty
GDPR-compliant · hosted in Frankfurt.
Why now
The artifact-registry market followed the rest of the industry toward SaaS-first delivery, per-user pricing, and roadmaps shaped by analyst-friendly enterprises. That's the right path for some teams. For everyone else, the available choices have been getting steadily less attractive.
Modern package ecosystems — twenty-plus that didn't exist a decade ago — have outgrown the format-specific-repository designs of the previous generation of tools. Security features that should be always-on are gated behind separate licences. On-prem deployment becomes an upcharge instead of the default.
For regulated industries, defence, finance, public sector — and the long tail of operators who simply want to own what they run — OrbitalReg is what we'd build if we were starting now. Self-hosted by default. Customer sovereignty over the entire data path.
What you get
Maven, npm, PyPI, Docker, Helm, Cargo, RubyGems, NuGet, Conan, Nix, Argo Workflows, Deno, Homebrew, Ollama, Kustomize, OPA Bundles — and 25 more.
One unified API surface for all of them.
Trivy and Grype scan every artifact at upload and on demand. Results stay on your hardware — no upstream calls unless you opt in.
Sigstore signature verification + provenance checks integrated.
Cryptographic signature verification before any artifact leaves the registry. CMS, OpenPGP, RSA, Sigstore — all supported. Pulls of unverified artifacts are blocked at the gate.
Customisable per-repo policies.
Fresh installations block all outbound calls. Operators explicitly opt in to webhooks, telemetry, and external CVE feeds. The default is the safest setting.
Tested for true offline operation — no surprise phone-homes.
Every artifact carries its CI run, commit SHA, builder identity, and Sigstore signature. Trace any binary back to its source. Promote builds across environments with confidence.
GitHub Actions, GitLab CI, Jenkins — all wire up natively.
Terraform provider, Kubernetes operator, and the orbital CLI ship out of the box. Helm chart with an air-gapped tarball variant. Your registry, declarative.
No microservice sprawl, no sidecars.
Security included
Most artifact registries gate security behind separate licences, add-on products, or higher tiers. OrbitalReg ships every feature in every tier — including the €100 design-partner tier. Security is the product, not an upcharge.
Supply-chain integrity
Runtime defense
Identity & access
Audit & sovereignty
Comparison without names
All of the above ship in OrbitalReg from the €100 design-partner tier upward. Security is the product.
See it in action
Six surfaces a customer engineer touches in their first week. Use the arrows or the dots to step through.
Our principles
01
We build software customers install, not software customers subscribe to. Deployable on your hardware, your cluster, your air-gapped network.
02
Self-hosted means your traffic stays yours. We do not meter, we do not gate features behind consent. Outbound is limited to a daily anonymous license-state heartbeat — install ID, version, license state, nothing about your users, repos, or artifacts. Disabled entirely in air-gap mode.
03
Per-deployment pricing — never per-user. A lifetime price cap on multi-year contracts. No renewal-time surprises, no audit-driven true-ups.
04
Every release passes human code review before shipping. We publish reproducible builds, SBOMs, and Sigstore signatures so what runs in your cluster is provably what we wrote. Breaking changes get disclosed early; we never silently deprecate.
How it fits
Between CI and developers
Build artifacts land here from GitHub Actions, GitLab CI,
Jenkins, Tekton — with build-info envelopes intact. Developers
pull them with the registry CLI of their choice, or via
OrbitalReg's own orbital tool.
Between you and the public web
OrbitalReg can proxy upstream registries (npm, Maven Central, Docker Hub, PyPI) with a configurable cache horizon — or it can refuse to talk outbound at all. Your call.
Between security and ops
Detection runs continuously; security policies block pulls that violate them. Ops sees one service with a single Postgres and a single S3-compatible bucket. No microservice sprawl.
Pricing
Per-deployment, not per-user. Per-licence, not per-environment. We do not limit environment scaling — most providers do. Predictable annual fee, capped for life if you commit long-term.
Design Partner · Limited cohort
€100/year
1 cluster licence · feedback in exchange for full access
You commit to: regular feedback calls, use-case sharing, beta-testing new features, a public quote we can use after the trial.
Commercial · Year 1 entry
€10,000 in year 1
3 cluster licences · upgrade to Lifetime-locked for multi-year price guarantee
Long-term Partner · Lifetime price lock
Lifetime-locked
Multi-year contract · sized to your company · the price you sign for never rises
Lifetime promise
Self-hosted means we cannot see your usage. We bill what we agree on, year after year. No metering, no surprise audit clauses, no "true-up" invoices.
Prices in EUR. Multi-year pricing requires a 3-year commitment to lock the cap; renewal at the same cap is at your option, never ours.
Invite-only access
Saw something in the walkthrough that fits? Tell us what you're building, what you're running today, and where a self-hosted registry would help — we'll take it from there.