DEV.co
Open-Source DevOps · artifact-keeper

artifact-keeper

Artifact Keeper is an open-source, self-hosted package registry built in Rust that supports 45+ package formats (Maven, PyPI, npm, Docker, Cargo, etc.). It includes built-in security scanning, WASM plugin extensibility, and peer-to-peer replication for distributed artifact distribution.

Source: GitHub — github.com/artifact-keeper/artifact-keeper
822
GitHub stars
89
Forks
Rust
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryartifact-keeper/artifact-keeper
Ownerartifact-keeper
Primary languageRust
LicenseMIT — OSI-approved
Stars822
Forks89
Open issues93
Latest releasev1.3.0 (2026-07-06)
Last updated2026-07-08
Sourcehttps://github.com/artifact-keeper/artifact-keeper

What artifact-keeper is

Rust-based registry with Axum web framework, PostgreSQL backend, OpenSearch full-text indexing, and layered architecture supporting native protocol handlers for 45+ ecosystems. Integrates Trivy and Grype for vulnerability scanning, offers WIT-based WASM plugins via Wasmtime, and implements recursive P2P replication via a mesh topology.

Quickstart

Get the artifact-keeper source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/artifact-keeper/artifact-keeper.gitcd artifact-keeper# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Large-scale multi-format artifact distribution

Organizations managing artifacts across Java, Python, Node.js, Docker, Helm, Rust, and 39+ other formats benefit from unified protocol support and full-text search without maintaining separate registries.

Artifactory/Nexus replacement or migration

Built-in migration tooling and drop-in protocol compatibility reduce switching friction. Self-hosted control and MIT licensing appeal to cost-conscious or compliance-constrained teams.

Edge-distributed artifact caching and replication

Peer mesh replication with chunked transfers and network-aware scheduling supports geographically distributed CI/CD pipelines, reducing bandwidth costs and deployment latency.

Implementation considerations

  • PostgreSQL 16 and OpenSearch are external dependencies; plan for HA setup, backup/restore procedures, and schema versioning during upgrades.
  • WASM plugin development requires WIT schema familiarity and Wasmtime sandboxing knowledge; custom format handlers may need iterative testing.
  • Security scanning pipeline (Trivy, Grype, OpenSCAP) requires scanner binary availability and database updates; configure auto-update or manual refresh cadence.
  • Borg replication mesh requires stable network links and peer discovery mechanism; bandwidth profiling and latency-aware routing configuration is critical for multi-region setups.
  • Container images built on DISA STIG UBI 9 base; verify compliance requirements align and plan for image refresh frequency.

When to avoid it — and what to weigh

  • Minimal security/compliance audit trail required — While security scanning is integrated, the README does not detail audit logging, immutable ledgers, or compliance certifications (SOC2, FedRAMP, etc.). Requires independent review.
  • No Rust infrastructure or ops expertise available — Rust deployment, troubleshooting, and binary updates require teams with Rust ecosystem experience. Go or Java alternatives may have broader operational support.
  • Requires vendor SLA or commercial support contract — MIT license permits use but does not include vendor support, SLAs, or liability assurances. Community support or paid engineering engagement unknown.
  • High-volume artifact scanning with strict latency SLAs — Scanner (Trivy/Grype) integration is present but performance under peak load, caching behavior, and scan queue management are not documented. Requires benchmarking.

License & commercial use

MIT License (OSI-approved, permissive). Permits commercial use, modification, and distribution with minimal restrictions. No copyleft obligations or patent protections included.

MIT license explicitly permits commercial use. However, no warranty, liability protection, or indemnification is provided. Vendor support, SLAs, and maintenance policies are unknown. Legal review recommended for mission-critical deployments.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityHigh
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Dual vulnerability scanners (Trivy + Grype) integrated for container and dependency analysis. Policy engine can quarantine artifacts. STIG-approved UBI 9 base images, non-root execution, no shell in runtime container. Multi-auth (JWT, OIDC, LDAP, SAML) available. Artifact signing (GPG/RSA) for select formats. NOT assessed: pen-test history, vulnerability disclosure policy, end-to-end encryption, secrets management, zero-trust network controls, or external security audit. Requires independent security review for production use.

Alternatives to consider

JFrog Artifactory (SaaS/self-hosted)

Market leader with 30+ years maturity, commercial support, compliance certifications (SOC2, FedRAMP), and broader ecosystem integrations. Higher cost and less control over data/infrastructure.

Sonatype Nexus Repository (self-hosted, Java)

Mature alternative with strong Maven/Java heritage, commercial support, and audit trail. Narrower format support than Artifact Keeper; Java stack vs. Rust.

Harbor (open-source, Go/TypeScript)

Container-focused registry (OCI/Docker, Helm) with robust security scanning and Kubernetes-native deployment. Narrower than Artifact Keeper (45+ formats); strong enterprise backing (VMware/Linux Foundation).

Software development agency

Build on artifact-keeper with DEV.co software developers

Review the documentation at artifactkeeper.com, deploy the demo, and run a proof-of-concept migration from your current registry. Engage a DevOps specialist to assess Rust operability and multi-region replication needs.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

artifact-keeper FAQ

Does Artifact Keeper work with my existing package managers?
Yes, 45+ native protocol handlers cover Maven, PyPI, npm, Docker, Cargo, Go, Helm, NuGet, RubyGems, Composer, Swift, and 34 more. Custom formats can be added via WASM plugins.
Can I migrate from Artifactory or Nexus?
Artifact Keeper includes built-in migration tooling for repositories, artifacts, and permissions from JFrog Artifactory. Nexus migration is not explicitly documented; requires review.
What are the storage and database requirements?
Requires PostgreSQL 16, OpenSearch, and external storage (filesystem or S3). HA setup requires multi-node PostgreSQL and OpenSearch clusters. Sizing depends on artifact volume and replication topology.
Is commercial support available?
Not documented in README. Vendor support, SLAs, and paid support packages are unknown. Community-driven or direct sponsorship may be available via GitHub Sponsors.

Software developers & web developers for hire

Need help beyond evaluating artifact-keeper? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source devops integrations — and maintain them long-term.

Ready to evaluate Artifact Keeper for your team?

Review the documentation at artifactkeeper.com, deploy the demo, and run a proof-of-concept migration from your current registry. Engage a DevOps specialist to assess Rust operability and multi-region replication needs.