Open Source at Spice Labs
We open source every component that touches your components and information. Transparency isn’t marketing—it’s the contract we keep with customers.
On top of that, we’re building fast, read-only graph tech and ADG (Artifact Dependency Graph) scanning tools designed for plugins, custom pipelines, and research.
👉 Explore on GitHub
👉 Join the Community Room on Matrix
Why we open source
- Radical transparency — If a service can read your components and information, its source is public.
- Auditable by design — Users, auditors, and researchers can inspect how we handle data.
- Composable ecosystem — Our read-only graph engine and ADG scanners are built for customization, plugins, and novel workflows.
TL;DR
If it processes your components and information, it’s open source.
If it’s foundational graph/ADG tech, we want you to extend it.
Projects
- BigTent
Read-only graph database for artifacts & relationships. High-performance, append-safe graph built for provenance, lineage, and ADG exploration. - Spice Labs Surveyor CLI
Secure packaging, hashing, and upload tooling. Build, validate, and ship artifacts with reproducible hashes. - GoatRodeo
Artifact surveyor + ADG extractor. Turns images, packages, and repos into verifiable dependency graphs. - Ginger-j
Java encryption + uploader SDK. Production-ready library for packaging, encrypting, and shipping deployment bundles. - GitHub Action: Surveyor
CI integration for ADG surveys. Drop-in GitHub Action to run Spice Labs Surveyor in CI. - Sample Project
Reference repo + sample data. Minimal repository to try surveys, graph ingestion, and end-to-end flows locally.
How we work
- Transparency by design — Any service that processes components and information is open source.
- Typed & reproducible — We favor strongly typed languages (Rust, Scala, Java) and reproducible builds/hashes so results can be independently verified.
- Immutable + auditable — Data flows are modeled as append-only graphs; changes are traceable, never overwritten.
- Security first — Encryption and key management are part of the default design.
- Composable surfaces — CLIs, APIs, and graph layers expose stable extension points for plugins and integrations.
Get involved
- Chat: Matrix community room
- Org: github.com/spice-labs-inc
- Security reports: Please follow each repo’s CONTRIBUTING.md . Responsible disclosure appreciated. support@spicelabs.io
Need something specific? Open an issue or start a thread in Matrix—tell us your use case and we’ll help you land fast.