artifact-keeper
Artifact Keeper is an open-source, self-hosted package registry built in Rust that supports 45+ package formats (Maven, PyPI, npm, Docker, Cargo, etc.). It includes built-in security scanning, WASM plugin extensibility, and peer-to-peer replication for distributed artifact distribution.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | artifact-keeper/artifact-keeper |
| Owner | artifact-keeper |
| Primary language | Rust |
| License | MIT — OSI-approved |
| Stars | 822 |
| Forks | 89 |
| Open issues | 93 |
| Latest release | v1.3.0 (2026-07-06) |
| Last updated | 2026-07-08 |
| Source | https://github.com/artifact-keeper/artifact-keeper |
What artifact-keeper is
Rust-based registry with Axum web framework, PostgreSQL backend, OpenSearch full-text indexing, and layered architecture supporting native protocol handlers for 45+ ecosystems. Integrates Trivy and Grype for vulnerability scanning, offers WIT-based WASM plugins via Wasmtime, and implements recursive P2P replication via a mesh topology.
Get the artifact-keeper source
Clone the repository and explore it locally.
git clone https://github.com/artifact-keeper/artifact-keeper.gitcd artifact-keeper# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- PostgreSQL 16 and OpenSearch are external dependencies; plan for HA setup, backup/restore procedures, and schema versioning during upgrades.
- WASM plugin development requires WIT schema familiarity and Wasmtime sandboxing knowledge; custom format handlers may need iterative testing.
- Security scanning pipeline (Trivy, Grype, OpenSCAP) requires scanner binary availability and database updates; configure auto-update or manual refresh cadence.
- Borg replication mesh requires stable network links and peer discovery mechanism; bandwidth profiling and latency-aware routing configuration is critical for multi-region setups.
- Container images built on DISA STIG UBI 9 base; verify compliance requirements align and plan for image refresh frequency.
When to avoid it — and what to weigh
- Minimal security/compliance audit trail required — While security scanning is integrated, the README does not detail audit logging, immutable ledgers, or compliance certifications (SOC2, FedRAMP, etc.). Requires independent review.
- No Rust infrastructure or ops expertise available — Rust deployment, troubleshooting, and binary updates require teams with Rust ecosystem experience. Go or Java alternatives may have broader operational support.
- Requires vendor SLA or commercial support contract — MIT license permits use but does not include vendor support, SLAs, or liability assurances. Community support or paid engineering engagement unknown.
- High-volume artifact scanning with strict latency SLAs — Scanner (Trivy/Grype) integration is present but performance under peak load, caching behavior, and scan queue management are not documented. Requires benchmarking.
License & commercial use
MIT License (OSI-approved, permissive). Permits commercial use, modification, and distribution with minimal restrictions. No copyleft obligations or patent protections included.
MIT license explicitly permits commercial use. However, no warranty, liability protection, or indemnification is provided. Vendor support, SLAs, and maintenance policies are unknown. Legal review recommended for mission-critical deployments.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | High |
| DEV.co fit | Good |
| Assessment confidence | High |
Dual vulnerability scanners (Trivy + Grype) integrated for container and dependency analysis. Policy engine can quarantine artifacts. STIG-approved UBI 9 base images, non-root execution, no shell in runtime container. Multi-auth (JWT, OIDC, LDAP, SAML) available. Artifact signing (GPG/RSA) for select formats. NOT assessed: pen-test history, vulnerability disclosure policy, end-to-end encryption, secrets management, zero-trust network controls, or external security audit. Requires independent security review for production use.
Alternatives to consider
JFrog Artifactory (SaaS/self-hosted)
Market leader with 30+ years maturity, commercial support, compliance certifications (SOC2, FedRAMP), and broader ecosystem integrations. Higher cost and less control over data/infrastructure.
Sonatype Nexus Repository (self-hosted, Java)
Mature alternative with strong Maven/Java heritage, commercial support, and audit trail. Narrower format support than Artifact Keeper; Java stack vs. Rust.
Harbor (open-source, Go/TypeScript)
Container-focused registry (OCI/Docker, Helm) with robust security scanning and Kubernetes-native deployment. Narrower than Artifact Keeper (45+ formats); strong enterprise backing (VMware/Linux Foundation).
Build on artifact-keeper with DEV.co software developers
Review the documentation at artifactkeeper.com, deploy the demo, and run a proof-of-concept migration from your current registry. Engage a DevOps specialist to assess Rust operability and multi-region replication needs.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
artifact-keeper FAQ
Does Artifact Keeper work with my existing package managers?
Can I migrate from Artifactory or Nexus?
What are the storage and database requirements?
Is commercial support available?
Software developers & web developers for hire
Need help beyond evaluating artifact-keeper? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source devops integrations — and maintain them long-term.
Ready to evaluate Artifact Keeper for your team?
Review the documentation at artifactkeeper.com, deploy the demo, and run a proof-of-concept migration from your current registry. Engage a DevOps specialist to assess Rust operability and multi-region replication needs.