Sync container images across registries, efficiently.

ocync copies OCI images with blob deduplication, cross-repo mounting, and streaming transfers. Faster syncs, fewer requests, fewer bytes transferred, and adaptive rate control.

Get started GitHub

01 / Efficiency

Pull once.
Push everywhere.

Global blob deduplication means shared layers transfer exactly once from source, then mount across all targets. AIMD (additive increase, multiplicative decrease) concurrency adapts to each registry independently: no manual tuning, no throttling.

4x faster cold syncs

40% fewer API requests

AIMD adaptive rate control

02 / Security

Secure by default.
Not by configuration.

FIPS 140-3 validated cryptography ships in every Linux build. Minimal, hardened deployment artifacts. No elevated privileges required, ever.

FIPS 140-3 (NIST #4816)Hardened container imagesNo elevated privilegesNative registry auth

03 / Experience

One binary.
Ship it anywhere.

A single CLI binary with zero runtime dependencies. Helm chart supports Deployment, CronJob, or Job. Watch mode for continuous sync. Container images ready to pull.

# Copy a single image
ocync copy cgr.dev/chainguard/nginx:latest \
    123456789012.dkr.ecr.us-east-1.amazonaws.com/nginx:latest

# Or deploy with Helm
helm install ocync oci://public.ecr.aws/clowdhaus/ocync

04 / Registries

Every registry.
Auto-detected auth.

Auto-detected auth and provider-specific optimizations. ECR blob mounting. Docker Hub rate-limit awareness. Works with any OCI-compliant registry out of the box.

Amazon ECRDocker HubGHCRGARACRChainguardAny OCI registry

View registry guides

Sync container images across registries, efficiently.

Pull once.Push everywhere.

Secure by default.Not by configuration.

One binary.Ship it anywhere.

Every registry.Auto-detected auth.

Pull once.
Push everywhere.

Secure by default.
Not by configuration.

One binary.
Ship it anywhere.

Every registry.
Auto-detected auth.