Skip to content

CodeQL packages cannot be mirrored to nor proxied by an OCI-compliant registry #21322

New issue
New issue
Open
Open
CodeQL packages cannot be mirrored to nor proxied by an OCI-compliant registry#21322
Labels
questionFurther information is requested
@gpettey-ercot

Description

@gpettey-ercot
gpettey-ercot
opened on Feb 12, 2026

CodeQL packages cannot be mirrored to nor proxied by an OCI-compliant registry.

From JFrog support:

Following further investigation with our internal technical teams, we have identified a significant discrepancy between the CodeQL pack manifests and the official OCI Image Format Specification (documented here).
Specifically, the config.digest field which is a mandatory requirement for both Docker and OCI-compliant registries is missing from the manifest. As shown in the config object below:
{
"digest": "sha256:4190c3a14d81fb38d2814b6b49532e191da1843c029e12de0042c199f3779314",
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 932,
"config": {
"digest": "",
"mediaType": "application/vnd.github.codeql.package.v1",
"size": 0
},
"layers": [
{
"digest": "sha256:7ff6508a0330f660acc51d5682675e5b2a3a7314e2826ef6caa3c9ba0cbac5d9",
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
"size": 16402231
}
],
"labels": {
"com.github.codeql.cli.version": "2.24.1",
"org.opencontainers.image.title": "codeql/python-queries",
"org.opencontainers.image.revision": "fedb9464aff82db8e415b26211efa75d806dc9f4",
"org.opencontainers.image.created": "fedb9464aff82db8e415b26211efa75d806dc9f4",
"org.opencontainers.image.version": "1.7.6",
"com.github.package.type": "codeql_pack_query",
"com.github.codeql.dependencies": "{"codeql/python-all":"6.1.0","codeql/suite-helpers":"1.0.41"}"
}
}
While the native CodeQL client is able to pull these packs, our investigation confirms that the manifests do not strictly adhere to the OCI Image Format Specification.
In a standard OCI manifest, the config.digest field is a mandatory descriptor. However, the CodeQL packs use a custom format where the config object contains inline metadata instead of a digest pointing to an external blob. Because Artifactory and standard OCI clients like ORAS strictly enforce the presence of this digest for validation, the requests are rejected with a "Method Not Allowed" or "Bad Request" error.

Metadata

Metadata

Assignees

No one assigned

    Labels

    questionFurther information is requested

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions