Spice Labs Surveyor CLI

The Spice Labs Surveyor CLI surveys software artifacts, generates encrypted Artifact Dependency Graphs (ADGs), and securely uploads them to the Spice Labs platform. It can run locally via JVM or in a containerized environment via Docker.

Installation

macOS/Linux

curl -sSLf https://install.spicelabs.io | bash

Windows PowerShell

irm -UseBasicParsing -Uri https://install.spicelabs.io | iex

After installation, add the CLI to your PATH and export your Spice Pass:

export SPICE_PASS=<your_spice_pass>

Commands

CommandDescription
runSurvey and upload in one step (default).
survey-artifactsGenerate ADGs locally but do not upload.
upload-adgsUpload previously generated ADGs.
decode-spice-passDecode a Spice Pass file or string for verification.

CLI Options

General

OptionDescriptionDefault
--input=<path>Path to input directory.Current directory
--output=<path>Directory for output ADGs.None
--tag=<tag>Required tag used to group scans.None
--tag-json=<json>Attach JSON metadata to tag.None
--threads=<n>Threads to use (parallelism).Half of available cores
--max-records=<n>Max records per batch.5000
--log-level=<level>Logging verbosity: all, trace, debug, info, warn, error, fatal, off.info
--log-file=<path>Write logs to file.None
--ciCI mode (non-interactive).Off
--use-static-metadataAdd static metadata to survey.Off

Advanced Builder Options

OptionDescription
--ginger-args=<args>Extra flags to Ginger uploader (comma-separated). Example: --ginger-args="--encrypt-only,--skip-key".
--goat-rodeo-args=<args>Key=value args to Goat Rodeo surveyor. Example: --goat-rodeo-args="blockList=ignored,tempDir=/tmp".

Example Commands

Full Survey and Upload

spice --input=./target --tag=my-service

Survey Only

spice --command=survey-artifacts --input=./src --output=./adg-out --tag=my-service

Upload Existing ADGs

spice --command=upload-adgs --input=./adg-out

CI Mode

spice --ci --command=run --input=./target --tag=ci-build

Add Metadata

spice --tag=my-service --tag-json='{"commit":"abc123","branch":"main"}'

Log to File

spice --log-level=debug --log-file=spice.log --tag=debug-test

Docker Usage

docker run --rm   -e SPICE_PASS=...   -v "$PWD/input:/mnt/input"   -v "$PWD/output:/mnt/output"   spicelabs/spice-labs-cli   --command=run   --input=/mnt/input   --output=/mnt/output   --tag=my-service

Upload only:

docker run --rm   -e SPICE_PASS=...   -v "$PWD/output:/mnt/input"   spicelabs/spice-labs-cli   --command=upload-adgs   --input=/mnt/input

Environment Variables

VariableDescriptionDefault
SPICE_PASSJWT token for authentication (required).None
SPICE_LABS_CLI_USE_JVMUse JVM instead of Docker (1 = enable).0
SPICE_LABS_CLI_JARPath to local JAR when in JVM mode./opt/spice-labs-cli/spice-labs-cli.jar
SPICE_LABS_JVM_ARGSJVM runtime flags.--XX:MaxRAMPercentage=75
SPICE_IMAGEDocker image name.spicelabs/spice-labs-cli
SPICE_IMAGE_TAGDocker image tag.latest
SPICE_LABS_CLI_SKIP_PULLSkip docker pull (1 = skip).0

GitHub Actions Integration

jobs:
  spice-survey:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Run Spice Labs Surveyor
        uses: spice-labs-inc/action-spice-labs-surveyor@v2
        with:
          tag: my-service

Troubleshooting

Common Errors

IssueCauseSolution
OCI runtime create failedMounted a .tar.gz instead of a .tar.Save Docker image as .tar only.
SPICE_PASS not setMissing authentication variable.Export SPICE_PASS before running.
Input directory not foundIncorrect --input path.Verify mount path or local path.
Permission deniedDocker volume not writable.Use absolute paths and correct permissions.
Upload failedNetwork or token issue.Re-authenticate and retry with valid SPICE_PASS.

Debugging

  • Increase verbosity with --log-level=debug.
  • Write logs using --log-file=spice.log.
  • In CI, include --ci for deterministic exits.

Build Locally

git clone https://github.com/spice-labs-inc/spice-labs-cli.git
cd spice-labs-cli
mvn clean install

Output:

target/spice-labs-cli-<version>-fat.jar

Run manually:

java -jar target/spice-labs-cli.jar --version

License

Apache License 2.0. See LICENSE.