OCI Registry

The Sekuire OCI Registry stores and distributes container images for AI agents, with integrated vulnerability scanning and image signing.

Overview

Sekuire provides a purpose-built OCI (Open Container Initiative) registry for agent images. Unlike general-purpose registries, the Sekuire registry ties images to agent identities and enforces workspace policies.

text

┌─────────────┐     push      ┌──────────────────┐     pull      ┌─────────────┐
│  Developer  │ ────────────▶ │  Sekuire OCI     │ ◀──────────── │  Runtime    │
│             │               │  Registry        │               │             │
│  docker push│               │  - Scanning      │               │  docker pull│
│             │               │  - Signing       │               │             │
└─────────────┘               │  - Policy check  │               └─────────────┘
                              └──────────────────┘

Push and Pull

Authentication

sekuire registry login

This stores credentials in ~/.sekuire/registry-auth.json and configures Docker credential helpers.

Pushing Images

Tag and pushbash

docker build -t registry.sekuire.com/my-org/my-agent:v1.0.0 .
sekuire registry push registry.sekuire.com/my-org/my-agent:v1.0.0

Pulling Images

bash

docker pull registry.sekuire.com/my-org/my-agent:v1.0.0

Vulnerability Scanning

Every image pushed to the registry is automatically scanned for vulnerabilities:

Severity	Action	Policy Default
Critical	Block deployment, notify owner	Block
High	Block deployment by default	Block
Medium	Warning, allow deployment	Warn
Low	Informational	Allow

Viewing Scan Reports

bash

sekuire images scan my-org/my-agent:v1.0.0

# Detailed report
sekuire images scan-report my-org/my-agent:v1.0.0

⚠️Workspace policies can override the default severity thresholds. Some compliance frameworks (HIPAA, PCI-DSS) require blocking all High and Critical vulnerabilities.

Image Signing

Images are signed with the agent's Ed25519 key, creating a verifiable link between the agent identity and the container image:

Image digest (SHA256) is computed after push
Digest is signed with the agent's secret key
Signature is stored alongside the image in the registry
On pull, the signature is verified against the agent's public key

Listing Images

bash

# List all images in your organization
sekuire images list

# Filter by agent
sekuire images list --agent my-agent

Next Steps

sekuire registry - CLI registry commands
sekuire images - Image management CLI
sekuire docker-init - Generate Dockerfiles
Deployment Guide - Container deployment workflows