SaaSHub helps you find the best software and product alternatives Learn more →
Top 23 Go OCI Projects
-
Neat. I like to see other takes on this. Any reason to use rootless vs `userns=auto`? I haven't really seen any discussion of it other than this issue: https://github.com/containers/podman/discussions/13728
-
InfluxDB
InfluxDB – Built for High-Performance Time Series Workloads. InfluxDB 3 OSS is now GA. Transform, enrich, and act on time series data directly in the database. Automate critical tasks and eliminate the need to move data externally. Download now.
-
Project mention: Kubernetes Without Docker: Why Container Runtimes Are Changing the Game in 2025 | dev.to | 2025-04-23
containerd Official Site The runtime powering most cloud K8s clusters and your future mental breakdowns.
-
Project mention: Kubernetes Without Docker: Why Container Runtimes Are Changing the Game in 2025 | dev.to | 2025-04-23
gVisor: Sandboxed Container Runtime by Google For when your security team actually audits things.
-
Project mention: Securing Kubernetes: Encrypting Data at Rest with kubeadm and containerd on Amazon Linux 2023 | dev.to | 2025-04-15
Installed runc v1.2.6 runc
-
Project mention: Dockerfile Best Practices: Building Efficient and Secure Containers | dev.to | 2024-08-16
Regularly scan your Docker images for vulnerabilities using tools like Trivy or Clair.
-
-
Over time, registries accumulate a lot of garbage in the form of blobs referenced by old images that are not needed anymore. Many registry implementations, such as CNCF Distribution, offer garbage-collection mechanisms to delete unreferenced blobs and free up storage space. However, for that to happen, old images (tags) referencing them have to be deleted first.
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
-
Project mention: Kubernetes Without Docker: Why Container Runtimes Are Changing the Game in 2025 | dev.to | 2025-04-23
BuildKit Faster Docker Builds Build speed + cache control = win.
-
Buildah is another tool that can build OCI container images without requiring root privileges:
-
syft
CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Syft (https://github.com/anchore/syft) and ScanCode (https://github.com/aboutcode-org/scancode-toolkit) are good open-source tools to generate SBOMs and search repos for licensing information — I'm curious to hear if there are reasons why those wouldn't work for enterprise purposes.
-
Yes - using Cri-o[0] or docker checkpoint/restore api (which uses cri-o)
[0] - https://cri-o.io/
-
-
komiser
Open-source cloud-environment inspector. Supporting AWS, GCP, Azure, and more! Your cloud resources will have nowhere to hide!
Another option is a similar product offered by Tailwarden, which is open source. It will offer a few different options and the hosting part will be up to you. This is Komiser, whose code is available on Github, and which provides a Docker image.
-
-
Project mention: Building a Linux Container Runtime from Scratch | news.ycombinator.com | 2025-03-26
Why not use any of the existing OCI Runtimes? They take well-defined[0] JSON description as input, and are pretty well-contained (single static binary). And because they are separate binaries, not libraries, you don't need to worry about things like thread safety or FD leaking.
[0] https://github.com/opencontainers/runtime-spec/blob/main/con...
-
First, if Microsoft used any of the Spegel code then it should provide proper attribution. A best practice is to put the LICENSE file in the root of project (both peerd and spegel do). But also, you need to put the license in the header of each file as a best practice. Like Microsoft did here https://github.com/Azure/peerd/blob/main/api/docs.go#L1
spegel did not follow best practices to put the copyright in the file itself: https://github.com/spegel-org/spegel/blob/main/internal/web/...
Ideally starting with something like this
// SPDX-License-Identifier: MIT
-
firecracker-containerd
firecracker-containerd enables containerd to manage containers as Firecracker microVMs
-
Project mention: Introduction to Gitless GitOps: A New OCI-Centric and Secure Architecture | dev.to | 2025-04-16
For implementation, the OCI artifact manipulation client tool ORAS (CNCF Sandbox project) seems useful. Flux uses oras-go.
-
Project mention: Zarf: DevSecOps for Air Gap and Limited-Connection Systems | news.ycombinator.com | 2025-02-23
-
kaniko <https://github.com/GoogleContainerTools/kaniko>, ko <https://github.com/ko-build/ko>, bazel <https://github.com/bazel-contrib/rules_oci>, apko <https://github.com/chainguard-dev/apko>, or other tools.
Each of those has tradeoffs compared to Dockerfiles (I have no need for bazel, but if I did, then adding `rules_oci` might be a win-win, rather than using a Dockerfile). If I used Nix, then the Nix dockerTools would be a huge win (I don't use Nix). If I were shipping Go programs, `ko` would likely be a good baseline.
-
zot
zot - A scale-out production-ready vendor-neutral OCI-native container image/artifact registry (purely based on OCI Distribution Specification)
Project mention: serverless-registry: A Docker registry backed by Workers and R2 | news.ycombinator.com | 2024-09-05Yeah in our case we are operating a private registry on behalf of our customers, so slightly different use-case than running your own registry for your own internal use.
If you do want to run your own registry, there's some great OSS projects including https://github.com/project-zot/zot, https://goharbor.io/, and of course https://github.com/distribution/distribution.
-
The Open Container Initiative (OCI) defines standards for container formats and runtimes to ensure consistency and compatibility across different container tools and platforms. It encompasses:
-
flintlock
Lock, Stock, and Two Smoking MicroVMs. Create and manage the lifecycle of MicroVMs backed by containerd.
Project mention: Flintlock: Lock, Stock, and Two Smoking MicroVMs | news.ycombinator.com | 2024-09-03 -
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
NOTE:
The open source projects on this list are ordered by number of github stars.
The number of mentions indicates repo mentiontions in the last 12 Months or
since we started tracking (Dec 2020).
Go OCI discussion
Go OCI related posts
-
Automatic tag deletion for Docker registries
-
Embracing Open Standards in Cloud-Native Development
-
Open Container Initiative
-
Kubernetes Without Docker: Why Container Runtimes Are Changing the Game in 2025
-
Securing Kubernetes: Encrypting Data at Rest with kubeadm and containerd on Amazon Linux 2023
-
We clone a running VM in 2 seconds
-
OCI Registry as Storage (ORAS): Distribute Artifacts Across OCI Registries
-
A note from our sponsor - SaaSHub
www.saashub.com | 17 May 2025
Index
What are some of the best open-source OCI projects in Go? This list will help you:
| # | Project | Stars |
|---|---|---|
| 1 | podman | 26,739 |
| 2 | containerd | 18,540 |
| 3 | gvisor | 16,456 |
| 4 | runc | 12,351 |
| 5 | clair | 10,613 |
| 6 | grype | 9,841 |
| 7 | distribution | 9,518 |
| 8 | buildkit | 8,724 |
| 9 | buildah | 7,851 |
| 10 | syft | 6,956 |
| 11 | cri-o | 5,403 |
| 12 | pouch | 4,642 |
| 13 | komiser | 4,050 |
| 14 | image-spec | 3,735 |
| 15 | runtime-spec | 3,357 |
| 16 | spegel | 2,655 |
| 17 | firecracker-containerd | 2,350 |
| 18 | oras | 1,725 |
| 19 | zarf | 1,552 |
| 20 | apko | 1,350 |
| 21 | zot | 1,218 |
| 22 | distribution-spec | 926 |
| 23 | flintlock | 832 |
Sponsored
InfluxDB – Built for High-Performance Time Series Workloads
InfluxDB 3 OSS is now GA. Transform, enrich, and act on time series data directly in the database. Automate critical tasks and eliminate the need to move data externally. Download now.
www.influxdata.com