Self-Hosted Container Image Management: Skopeo vs ORAS vs Crane (2026)

Managing container images across registries is a daily operational task for platform engineers. Whether you’re mirroring images to an air-gapped environment, promoting builds between staging and production, or auditing what’s deployed across multiple clusters, having the right image management tooling is essential.

This guide compares three open-source container image tools — Skopeo, ORAS (OCI Registry As Storage), and Crane (from go-containerregistry) — that handle image copying, inspection, signing, and OCI artifact management without requiring a full Docker daemon.

Why Image Management Tools Matter

Running docker pull and docker push works fine for development, but production environments have stricter requirements. You need to inspect image layers before deploying, copy images between registries without a local daemon, sign images for supply chain security, and manage OCI artifacts alongside container images. Tools like Skopeo, ORAS, and Crane fill this gap by providing lightweight, daemonless image operations that integrate cleanly into CI/CD pipelines and automated workflows.

Quick Comparison

Skopeo: The Swiss Army Knife of Image Management

Skopeo is part of the Red Hat container tooling ecosystem (alongside Podman and Buildah). Its strength lies in inspecting, copying, and signing container images without ever pulling them to a local Docker daemon.

Key Features

• Remote inspection — View image layers, environment variables, and metadata without downloading
• Registry-to-registry copy — Mirror images between registries without local storage
• Image signing and verification — Native support for sigstore/cosign and simple signing
• Trust policy enforcement — Define which registries and signatures are acceptable
• Storage drivers — Works with Docker, containers-storage, OCI directories, and tarballs

Docker Compose Deployment

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

version: "3.8"
services:
  skopeo-runner:
    image: quay.io/skopeo/stable:latest
    volumes:
      - ./policy.json:/etc/containers/policy.json:ro
      - ./registries.conf:/etc/containers/registries.conf:ro
      - skopeo-data:/tmp/skopeo
    entrypoint: ["/bin/sh", "-c"]
    command:
      - |
        skopeo copy --all           --src-tls-verify=true           --dest-tls-verify=true           docker://docker.io/library/nginx:latest           docker://registry.internal:5000/nginx:latest
    restart: "no"

volumes:
  skopeo-data:

Common Operations

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

# Inspect image metadata remotely
skopeo inspect docker://docker.io/library/nginx:latest

# Copy image between registries (all architectures)
skopeo copy --all   docker://docker.io/library/nginx:1.25   docker://registry.example.com/nginx:1.25

# Copy from Docker daemon to OCI directory
skopeo copy docker-daemon:myapp:v1 oci:/tmp/myapp-oci

# Sign an image with sigstore
skopeo sign --sign-by mykey@domain.com   docker://registry.example.com/myapp:v1

# Verify image signatures
skopeo standalone-verify manifest.json   docker://registry.example.com/myapp:v1   mykey@domain.com

When to Choose Skopeo

Skopeo excels when you need image signing, trust policies, or integration with Podman/Buildah workflows. It’s the go-to choice for organizations implementing container image supply chain security, especially in government and regulated industries where signature verification is mandatory.

ORAS: OCI Artifacts for Everything

ORAS extends OCI registries beyond container images. Helm charts, SBOMs, test results, and any arbitrary file can be stored in your existing registry using ORAS’s artifact management.

Key Features

• OCI Artifact pushing/pulling — Store any file type in an OCI registry
• Helm chart distribution — Push and pull Helm charts as OCI artifacts
• Referrers API support — Link artifacts together (SBOM → image, signature → image)
• Cross-platform CLI — Available for Linux, macOS, and Windows
• Registry compatibility — Works with Docker Hub, GHCR, ACR, ECR, Harbor, and Zot

Docker Compose Deployment

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

version: "3.8"
services:
  oras-cli:
    image: ghcr.io/oras-project/oras:latest
    volumes:
      - ./artifacts:/artifacts:ro
    working_dir: /artifacts
    entrypoint: ["/bin/sh", "-c"]
    command:
      - |
        oras push registry.example.com/my-artifacts:v1           ./sbom.json:application/vnd.sbom+json           ./test-results.xml:application/vnd.test.results+xml
    restart: "no"

Common Operations

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

# Push arbitrary files as OCI artifacts
oras push registry.example.com/artifacts:v1   ./config.yaml:application/vnd.config+yaml   ./data.json:application/vnd.data+json

# Push a Helm chart as an OCI artifact
oras push registry.example.com/charts/mychart:v1.0.0   --artifact-type application/vnd.cncf.helm.config.v1+json   ./mychart-1.0.0.tgz

# Pull an artifact
oras pull registry.example.com/artifacts:v1   --output ./downloaded

# Discover artifact referrers (SBOMs, signatures)
oras discover registry.example.com/myimage:v1   --artifact-type application/vnd.sbom+json

# Login to a registry
oras login registry.example.com   --username admin --password secret

When to Choose ORAS

ORAS is ideal when you want to use your container registry as a universal artifact store. If your team needs to distribute Helm charts, SBOMs, configuration bundles, or any non-container artifacts alongside images, ORAS eliminates the need for separate artifact repositories.

Crane: Lightweight Registry Client

Crane is the CLI component of Google’s go-containerregistry library. It provides a minimal, fast interface for common registry operations with excellent performance for scripting and automation.

Key Features

• Registry operations — Pull, push, copy, delete images and manifests
• Index manipulation — Flatten, append, and modify multi-arch image indexes
• Digest-based references — Full support for immutable digest-pinned references
• Go library — The underlying library can be imported into your own Go applications
• Minimal dependencies — Single binary with no runtime requirements

Docker Compose Deployment

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

version: "3.8"
services:
  crane-runner:
    image: gcr.io/go-containerregistry/crane:debug
    environment:
      - DOCKER_CONFIG=/root/.docker
    volumes:
      - ./config.json:/root/.docker/config.json:ro
    entrypoint: ["/bin/sh", "-c"]
    command:
      - |
        crane copy           docker.io/library/alpine:latest@sha256:abc123...           registry.example.com/alpine:latest
    restart: "no"

Common Operations

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

# Copy an image by digest
crane copy   docker.io/library/nginx:latest@sha256:abc123def456   registry.example.com/nginx:latest

# List tags in a repository
crane ls registry.example.com/myrepo

# Get image digest
crane digest registry.example.com/myapp:v1

# Export image to a tarball
crane export registry.example.com/myapp:v1 /tmp/myapp.tar

# Delete an image tag
crane delete registry.example.com/myapp:old-tag

# Flatten a multi-arch index to a single platform
crane flatten --platform linux/amd64   registry.example.com/multiarch:v1

When to Choose Crane

Crane shines in CI/CD pipelines and automation scripts where you need fast, scriptable registry operations. Its Go library is also the foundation for many other container tools, making it a solid choice for developers building custom registry integrations.

Choosing the Right Tool

Why Self-Host Image Management Tooling

Running image management tools as part of your self-hosted infrastructure gives you full control over the container supply chain. Without daemon-based workflows, you reduce the attack surface, eliminate unnecessary Docker socket mounts in CI runners, and enable operations in restricted or air-gapped environments. Registry-to-registry copying ensures your production clusters pull from internal mirrors, improving deployment speed and reducing external dependency risks.

For container registry deployment options, see our container registry comparison and registry proxy cache guide. For supply chain security, check our supply chain security guide.

FAQ

Do I need Docker installed to use these tools?

No. All three tools are daemonless — they communicate directly with container registries via the OCI Distribution Specification. Skopeo can also work with local storage backends like containers-storage and OCI directories without Docker.

Can these tools handle multi-architecture images?

Yes. All three tools support multi-architecture (multi-arch) images. Skopeo’s --all flag copies all platform variants. ORAS and Crane both handle multi-arch manifests and indexes natively.

Which tool supports image signing?

Skopeo has the most comprehensive signing support, including sigstore/cosign and simple signing with GPG keys. ORAS and Crane focus on artifact management and registry operations rather than cryptographic signing.

Can I store Helm charts with these tools?

ORAS has native support for pushing and pulling Helm charts as OCI artifacts (OCI 1.1 referrers). Skopeo can copy Helm chart images but doesn’t manage Helm-specific metadata. Crane can handle any OCI content but requires manual media type specification for Helm artifacts.

Are these tools suitable for air-gapped environments?

Yes. All three can copy images between registries without internet access once installed. Skopeo is particularly well-suited for air-gapped setups because it can export images to tarballs and import from tarballs, enabling offline transport via physical media.

What’s the performance difference between the tools?

Crane is generally the fastest for simple registry operations due to its minimal design and efficient Go implementation. Skopeo has slightly more overhead due to its trust policy and signature verification features. ORAS performance is comparable to Crane for basic operations.