Spec Marketplace Progress Security GitHub
Public beta · building in the open

CI/CD that runs inside the tools you already use.

Add one step to the CI you already run and get portable, isolated, policy-checked builds with signed provenance — same run, same result, on any CI and any cloud. Or run it standalone.

Try the beta Read the spec
plug-and-play portable secure standalone-ready
+ 1 check · zero workflow changes
feat: add checkout flow #284 · 3 checks
buildpassed · 41s
test (3.12)passed · 1m12s
LabHit CI / pipeline Queued Running… Passed ✓
isolated sandbox · policy gate ok
provenance signed · 6 stages, any cloud
runs inside your CI — or on its own View logs →
How you run it

Three ways in. One pipeline.

The same pipeline.yaml runs as a layer on the CI you already have, on any other CI or cloud, or on its own. Pick a path — the definition never changes.

.github/workflows/ci.yml
# add one step — nothing else changes
steps:
  - uses: actions/checkout@v4
  - uses: lab-hit/labhit-action@v1
    with:
      pipeline: .labhit.yaml
Drops into your existing workflow. LabHit runs your pipeline in an isolated sandbox and reports back as one more check on the pull request.
# one binary — embedded storage, no services
$ labhit run

→ scheduling 6 stages…
→ sandbox ready · policy gate ok
→ pipeline passed in 1m38s
No platform required. Run the whole pipeline locally for development, demos, or air-gapped builds. Same config, same result.
# the portable definition — runs anywhere
engine: "1"
pipeline:
  name: build-and-deploy
# same file on any CI, any cloud, your laptop
Define once, run anywhere. The pipeline isn't tied to a vendor. Move clouds or CI providers and the definition comes with you, unchanged.
Pipeline format

Define stages, not workflows.

Each stage declares what to run — an extension or a shell command. Wire dependencies with after. The scheduler builds a DAG and runs independent stages in parallel.

pipeline.yaml
engine: "1"

pipeline:
  name: build-and-deploy

stages:
  fetch:
    use: source/git
    with:
      depth: 1

  test:
    after: [fetch]
    run: cargo test --workspace
    sandbox:
      image: rust:1.93-slim

  build:
    after: [test]
    use: build/container
    with:
      dockerfile: Dockerfile

  scan:
    after: [test]
    use: scan/trivy

  deploy:
    after: [build, scan]
    use: deploy/kubernetes
    gate:
      approval: required
Scheduler DAG
fetch
test
build
scan
⚖ deploy
The extension model

From smart contracts to model training. One pipeline.

The engine ships with zero built-in integrations. Every capability is an extension you install by name — source/git, build/container, deploy/ethereum. All sandboxed, all composable.

Browse the extension interface
source/git
Source
build/container
Build
build/solidity
Blockchain
🧠
train/pytorch
Machine Learning
🔍
scan/trivy
Scan
deploy/ethereum
Blockchain
deploy/kubernetes
Deploy
🔐
scan/sast
Security
Extension marketplace

The app store for CI/CD.

Browse, install, and publish extensions across 15 categories. Build in any language that compiles to WASM.

Blockchain

Solidity builds, Foundry tests, Ethereum & Solana deploys, gas audits, contract verification.

🧠

Machine Learning

PyTorch training, ONNX builds, model validation gates, GPU containers, inference deployment.

🛡

Security

SAST, DAST, dependency scanning, secret detection, license gates, benchmark checks.

Build extensions. Publish them. Earn from them.

Any language that compiles to WASM. Publish free, or sell your own.

Browse extensions → Publish yours
Portability

One binary. Three modes.

Same config. Same extensions. Same results. Scale up only when you need to.

01

Local

SQLite · embedded

Run on your laptop. Zero infrastructure. Start with labhit run and watch your pipeline execute.

02

Standalone

PostgreSQL · single node

Deploy to a server. Same binary, same config. Add a database for persistence and your team is running.

03

Cluster

PostgreSQL · distributed

Scale horizontally. High availability, distributed scheduling, same extensions. The config never changes.

The config never changes. Only the infrastructure beneath it does.

Progress

Where we are.

Built in the open. Shipped when ready. Follow our engineering milestones.

8
Shipped
2
Building
5
Planned
Pipeline engineShipped
Extension system & marketplaceShipped
Policy & isolated executionShipped
Live build logsShipped
WebhooksShipped
Sign-in & accountsShipped
Public beta API & dashboardShipped
GitHub integration — run on every push, results as a status checkShipped
Connect-your-repo flowBuilding
Per-repo secretsBuilding
LabHit step for your existing workflowPlanned
Bring your existing pipeline (import your current config)Planned
Deploy to any cloudPlanned
Run portably across any CIPlanned
Standalone mode, documentedPlanned

Run it as a layer.
Or run it standalone.

Add it to the CI you already use, or run it standalone as a single binary. Try the beta, or read the open spec.

Try the beta Read the spec
One email when we launch. No spam, no newsletter.