Bytesafe Community Edition

Getting Started with Bytesafe Community Edition (Free)

Bytesafe is a security platform that protects organizations from open source software supply chain attacks.

The Community Edition of Bytesafe is free to download and use and is configured to use PostgreSQL for data management and Redis for efficient caching. It stores package artifacts on the local file system, making it a convenient solution for many use cases.

However, for production workflows requiring high availability, disaster recovery, the convenience of a managed service or more advanced features such as License Compliance, we recommend our Business or Enterprise tiers.

Quickstart using Docker Compose

Using Docker Compose to install Bytesafe Community edition together with PostgreSQL and Redis will get you started in minutes:

  1. Download the sample docker-compose.yml file to your host. You can download the file with command line utilities like curl and wget, or from the Bytesafe Community Edition Git repository using a web browser.
  2. Create an .env file with a unique and secret value for the DATA_ENCRYPTION_KEY environment variable. See Configuration below for more information on when this is used.
  3. Use docker compose to start Bytesafe Community Edition + PostgreSQL + Redis.

$ curl -O

$ echo "DATA_ENCRYPTION_KEY='$(cat /dev/urandom | LC_ALL=C tr -dc 'a-zA-Z0-9' | fold -w 50 | head -n 1)'" > .env

$ docker compose up

  1. Open up a web browser and create your workspace owner account here: http://localhost:8081/

See below for detailed instructions and configuration options.


Bytesafe Community Edition is available in multiple formats to accommodate a wide range of user preferences and requirements. For flexibility and convenience for various deployment scenarios, these formats are described below.

Standalone Binaries

Standalone binaries are available for download from the official GitHub repository. You can download these binaries and run them directly on your system. This is a great option for users who want to run Bytesafe on existing infrastructure and/or want more control over their deployment.

To download the latest binary, navigate to the releases page of the official GitHub repository, find the most recent release, and download the appropriate binary for your operating system.

Verify the integrity and authenticy of binaries using cosign:

# Download Bytesafe public key

$ curl -O

# Verify using cosign

$ cosign verify-blob bytesafe-ce_Darwin_x86_64.tar.gz --signature bytesafe-ce_Darwin_x86_64.tar.gz.sig --key

Verified OK

Docker Images

For users who prefer containerized environments, Bytesafe CE is also distributed as a Docker image on Docker Hub. You can pull the latest image from the bytesafe/bytesafe-ce repository and run it using Docker or Docker Compose.

Bytesafe CE comes with a Docker Compose configuration where Bytesafe CE, PostgreSQL, and Redis services are orchestrated to work seamlessly together, providing users with a straightforward and efficient method for deploying and running Bytesafe.


If you’re running a Kubernetes environment, you can deploy Bytesafe CE using the Kubernetes manifests available in the official GitHub repository.

We sign all Bytesafe Community Edition binaries and docker images using Sigstore / cosign and encourage you to verify the authenticity of any binaries or docker images before execution.

Docker Compose

  1. Download the sample docker-compose.yml file to your host. You can download the file with command line utilities like curl and wget, or you can manually copy docker-compose.yml from the Bytesafe Community Edition Git repository using a web browser.

# Using cURL:

$ curl -O

# Using wget:

$ wget

We have provided an example configuration in the Github repository that uses Nginx to provide HTTPS/SSL support. However setting up and managing HTTPS certificates are not discussed further here, but we encourage you to use existing solutions in front of Bytesafe to protect the integrity of your data in transit.

To set up and run Bytesafe CE using Docker or Docker Compose, follow these steps:

  1. Pull the Bytesafe CE Docker image:

$ docker pull bytesafe/bytesafe-ce:latest

  1. Verify the integrity and authenticy of the docker image using cosign.

# Download Bytesafe public key

$ curl -O

# Verify using cosign

$ cosign verify bytesafe/bytesafe-ce:latest --key

Verification for --

The following checks were performed on each of these signatures:

- The cosign claims were validated

- Existence of the claims in the transparency log was verified offline

- The signatures were verified against the specified public key


  1. Start Bytesafe, PostgreSQL and Redis

$ docker compose up

Docker Image

The Bytesafe docker image can be started separately utilizing existing PostgreSQL and Redis infrastructure. Make sure to start the Docker container with the necessary environment variables. Replace the placeholder values with your own:

$ docker run -d \

--name bytesafe-ce \

-p 8081:8081 \

-e DATA_ENCRYPTION_KEY=<your_data_encryption_key> \

-e URL_PREFIX=http://localhost:8081 \

-e DB_HOST=pghost.localdomain \

-e REDIS_HOST=redis.localdomain \



Environment Variables

The Bytesafe CE Docker image uses several environment variables for configuration. The table below provides a description of each variable:

Only the URL_PREFIX and DATA_ENCRYPTION_KEY are mandatory to supply.

Environment Variable Default Value Description
DATA_ENCRYPTION_KEY The key used to encrypt sensitive data stored in the Bytesafe database. Mandatory.
URL_PREFIX http://localhost:8081 The user facing (i.e. load balancer etc) URL prefix for the Bytesafe web interface and API.
PORT 8081 The HTTP listening port
DATA_PATH /var/lib/bytesafe The path for storing files (package blobs)
ALLOW_PRIVATE_IPS Set to true to allow Bytesafe to connect to RFC1918 addresses
SMTP_HOST The hostname of the SMTP server used for sending email notifications.
SMTP_PORT The port number of the SMTP server used for sending email notifications.
SMTP_USER The username for authenticating with the SMTP server.
SMTP_PASSWORD The password for authenticating with the SMTP server.
SMTP_FROM_ADDRESS noreply@localdomain The from address used for mail sent from bytesafe
DB_HOST The hostname for the PostgreSQL database used by Bytesafe.
DB_PORT 5432 The port number for the PostgreSQL database used by Bytesafe.
DB_USER bytesafe_rw The username for the PostgreSQL database used by Bytesafe.
DB_PASSWORD bytesafe The default password for the PostgreSQL database used by Bytesafe
DB_ADMIN_USER postgres PostgreSQL user used for initial database setup. Needs adequate privileges to create databases, tables, index etc
REDIS_HOST The hostname for the Redis datastore used by Bytesafe.
REDIS_PORT 6379 The port number for the Redis datastore used by Bytesafe.
REDIS_USER The username for the Redis datastore used by Bytesafe.
REDIS_PASSWORD The password for the Redis datastore used by Bytesafe.
TELEMETRY true Send anonymous telemetry to below for more info)

Command Line arguments

The Bytesafe Community Edition binary bytesafe-ce has the following options

      --setupdb            Create database if not detected
      --accesslog          Enable access log for successful requests (errors are always logged) (default false)
      --debug              Enabled additional logging for debugging
  -h, --help               Show help
  -V, --version            Show version

Data storage

Bytesafe Community Edition stores its data in three different locations:

  1. Application configuration, package metadata, vulnerability database etc. is stored in a PostgreSQL database. In our docker compose example configuration this volumne is named bytesafe-postgres-data
  2. Package Blobs are stored on the local file system, default location is /var/lib/bytesafe. In our docker compose example configuration this volumne is named bytesafe-blob-data.
  3. Redis is used as an application cache and no persistent data is stored here.

Initial Setup

Once the Docker container is running, the first step is to create the initial administrator account (account owner). This can be done by accessing the Bytesafe CE web interface, available at the URL defined by the URL_PREFIX environment variable (default: http://localhost:8081/).

Upon creation of the administrator account, you will be able to access your Bytesafe workspace. This workspace empowers you to create and administer private registries, import and publish packages, manage dependencies, and configure security settings, providing a comprehensive control over your package management.


Bytesafe CE sends anonymous telemetry to This is used to help us understand how Bytesafe is used and to improve the product. The data is anonymous and does not contain any sensitive information.

The following data points are collected:

Data point Description
Version Bytesafe version
Commit Bytesafe commit hash
Fingerprint Unique identifier for the Bytesafe installation
Started Timestamp for when instance was started
Uptime Number of seconds since instance was started
Tags Installation type (docker, docker-compose etc)

You can opt out of the telemetry by setting the environment variable TELEMETRY=false when starting the container.


While the Bytesafe Community Edition provides a robust suite of features, it does have some limitations compared to the premium offerings.

For a detailed feature comparison, and to understand which edition best suits your needs, refer to our pricing page. Here, you’ll find a side-by-side comparison of the features offered in each Bytesafe edition, helping you make an informed decision about which solution best suits your needs.

License and Commercial use

Bytesafe Community Edition is free to download and use under the end user license. It’s free for both commercial and personal use.

Feedback & Contribution

For bug reporting and discussion related to Bytesafe Community Edition, we use GitHub issues.

If you encounter any issues, or if you want to participate in ongoing discussions, please visit our GitHub issues page at

Here, you can report new issues, contribute to existing ones, or browse through previously resolved problems. Your participation helps us continually improve Bytesafe Community Edition.