boost
Health Pass
- License — License: NOASSERTION
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Community trust — 97 GitHub stars
Code Fail
- rm -rf — Recursive force deletion command in install.sh
Permissions Pass
- Permissions — No dangerous permissions requested
This tool is a CLI utility designed to accelerate build commands, tests, and coding agents. It wraps existing commands to speed up execution and reduce noisy output in local terminals, CI pipelines, and AI editors.
Security Assessment
Risk: Medium. The tool executes shell commands by design, acting as a wrapper for your existing workflows. The primary security concern is its installation method: piping a remote curl script directly to bash. The automated scan flagged a recursive force deletion (`rm -rf`) command inside this `install.sh` script, which requires careful manual review to ensure it doesn't accidentally delete critical system files. While no hardcoded secrets or dangerous repository permissions were detected, the tool collects OpenTelemetry telemetry. Because it routes your build and execution data through its proprietary framework, users should verify exactly what data is being tracked and where it is sent.
Quality Assessment
Quality is High. The project is actively maintained, with repository activity as recent as today. It enjoys a solid community footprint with 97 GitHub stars and is sponsored by JFrog, a well-established software company. However, it operates under a "NOASSERTION" / proprietary beta license, meaning it is not a standard open-source tool. Developers must review the specific terms of use before integrating it into commercial pipelines.
Verdict
Use with caution: While the project is professionally backed and actively maintained, the proprietary license, telemetry tracking, and potentially destructive installation script warrant a manual code review before deploying in sensitive environments.
Make your agents leaner and faster. It’s not just about saving time; it’s about the feeling of not wasting it.
Boost — faster agents, faster CI
For coding agents, their commands, and the CI that runs them.
-blue){kind=icon}
Sponsored by JFrog
Humans and coding agents spend too much time waiting for commands to finish and sifting through noisy output. Boost is a single binary that drops into three places at once:
- your terminal — prefix any command with
boost - your coding agent —
boost initwires up Cursor, Claude Code, Codex, Gemini CLI, and more - your CI — one line:
uses: jfrog/boost@v0
Same binary, same acceleration, same telemetry — wherever your builds run.
Quick Start
CLI — prefix any command with boost
Install:
curl -fsSL https://raw.githubusercontent.com/jfrog/boost/main/install.sh | bash
Use:
boost docker build -t myapp .
boost npm ci
boost pytest
Coding agent — auto-wire Cursor, Claude Code, Codex, and more
Run the interactive setup in any project:
boost init
It detects your installed editors and CI providers and registers hooks so every tool call the agent makes gets wrapped by boost. Re-run it any time your editor / agent list changes.
CI — one line in your workflow
steps:
- uses: jfrog/boost@v0
- uses: actions/checkout@v4
...
The action pins to the rolling v0 major; see releases for the latest tag.
Why Boost
- One binary, three surfaces — CLI, coding agent, and CI all share the same runtime and behave identically.
- 60–90% fewer log tokens — strips noise from command output before it reaches your agent's context window.
- Deep OTel context — every wrapped command emits OpenTelemetry traces and metrics your agents can reason about.
Before / after
Same npm ci, same result. What changes:
- ~15× fewer tokens in your agent's context — 9.8k → 640 on a typical install.
- Faster reruns via content-addressed cache — seconds instead of minutes.
- Deep OTel trace of every command — timing, cache hits, exit code — routable to your backend.
# Without boost — ~9,800 tokens of log noise in your agent's context
$ npm ci
npm warn deprecated [email protected] / [email protected] / [email protected] …
added 1285 packages, audited 1286 in 45s
found 0 vulnerabilities
# With boost — ~640 tokens, same result, cache-backed
$ boost npm ci
[OK] npm ci · 1,285 packages restored from boost cache in 2.4s · 0 vulnerabilities
Supported tools
Coding agents: Cursor · Claude Code · GitHub Copilot · Codex CLI · Gemini CLI · OpenCode · Windsurf · Cline
CI platforms: GitHub Actions · GitLab CI (coming soon) · Jenkins (coming soon) · CircleCI (coming soon) · Azure Pipelines (coming soon)
Usage examples
Prefix any command with boost — anywhere you'd normally run it.
boost docker build ...— compressed build log, layer-cache summary, Docker metrics in OTelboost npm ci— dependency summary, local package cache, retry-safe outputboost pytest— per-test pass/fail/duration stored locally, quiet output on green runsboost gh run view --log— CI log stream condensed to top failures plus summary
Update
boost update
Documentation
See the full documentation for commands, configuration, OpenTelemetry export, and CI recipes.
Security & Privacy
- Local-first. Command history and raw OTel traces stay on your machine.
- Only metadata leaves. Exported spans carry timing, exit code, and cache stats — never raw logs, file contents, or env values. Secrets matching patterns like
*_TOKEN,*_SECRET,AWS_*,DATABASE_URLare redacted before write or export. - Open protocol, signed binaries. OpenTelemetry-native; point
BOOST_OTEL_ENDPOINTat your own backend. Binaries ship signed via GitHub Releases.
Full policy, supported versions, and how to report a vulnerability: see SECURITY.md.
License
Copyright © 2026 JFrog Ltd. All rights reserved. See LICENSE and BETA_AGREEMENT.md.
Dedicated to the memory of Dima Gershovich — a brilliant engineer, a talented musician, and a dear friend. Read Dima's story
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found