Skip to main content
Beekeeper Docs

Installation

Install Beekeeper and verify the binary with cosign and SLSA provenance.

Beekeeper ships as a single static Go binary with no external runtime dependencies. You can install it with go install, download a signed pre-built binary, or build it from source. Because Beekeeper runs with your full filesystem and network privileges, verify the binary before trusting it: the cosign and SLSA steps below let you confirm it was built by the release pipeline and not tampered with.

go install

go install github.com/home-beekeeper/beekeeper/cmd/beekeeper@latest

This builds from source on your machine and places the binary on your PATH.

Pre-built binaries (GitHub Releases)

Signed binaries are published on the GitHub Releases page, one per platform:

https://github.com/home-beekeeper/beekeeper/releases/tag/v<version>

Each release includes the binary, its cosign signature, the SLSA provenance (beekeeper.intoto.jsonl), and a CycloneDX SBOM (beekeeper.cyclonedx.json). Download the binary for your platform, then verify it with the steps below.

Verify the cosign signature

Every released binary is keylessly signed via Sigstore/cosign using GitHub Actions OIDC; there is no long-lived signing key to steal. Verify that the binary was produced by the release workflow:

cosign verify \
  --certificate-identity=https://github.com/home-beekeeper/beekeeper/.github/workflows/release.yml@refs/tags/v<version> \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
  beekeeper

A successful verification confirms the binary was signed by a GitHub OIDC token bound to the release workflow, not by a manually held key.

Verify SLSA provenance

Releases carry SLSA Level 3 provenance generated by slsa-github-generator@v2.1.0. Verify it with slsa-verifier:

slsa-verifier verify-artifact beekeeper \
  --provenance-path beekeeper.intoto.jsonl \
  --source-uri github.com/home-beekeeper/beekeeper

The --source-uri is the lowercase Go-module source URI (github.com/home-beekeeper/beekeeper). This differs from the cosign --certificate-identity, which uses the workflow URL. Use each command exactly as shown.

SLSA Level 3 confirms the build environment was ephemeral, the build was triggered by a source commit, and the provenance was produced by the SLSA generator, not by the project's own workflow.

Inspect the SBOM

A CycloneDX Software Bill of Materials lists every direct and transitive Go dependency with its version. Compare it against the expected dependency set for the release:

cat beekeeper.cyclonedx.json | jq '.components[] | "\(.name)@\(.version)"'

Reproducible build verification

Beekeeper builds are reproducible (-trimpath -buildvcs=false -mod=readonly). You can rebuild a release from its source tag and confirm the output hash matches the published binary:

make verify-release VERSION=X.Y.Z

A mismatch means the released binary was not produced from the tagged source.

Build from source

git clone https://github.com/home-beekeeper/beekeeper
cd beekeeper
make build

make build uses the reproducible flags above. Requires Go 1.25+.

State directory

Beekeeper stores its configuration, policies, catalogs, audit log, and runtime state in a per-user directory:

OSState directory
Linux / macOS~/.beekeeper/
Windows%APPDATA%\beekeeper\

See Configuration for what lives there and how the layered config is merged.

Distribution. The canonical module path and GitHub Releases are the distribution channels. The verification commands above are exactly the ones the release pipeline produces signatures for.

Getting Started

From zero to a working beekeeper check in a few minutes.

Configuration

Layered config, fail mode, policy-as-code, sensitive paths, the package-manager nudge, auto-quarantine, and the local corpus.

On this page

go installPre-built binaries (GitHub Releases)Verify the cosign signatureVerify SLSA provenanceInspect the SBOMReproducible build verificationBuild from sourceState directory