Free & Open Source — No License Fees

Universal Artifact
Repository Manager

Drop-in replacement for Sonatype Nexus. Manage Maven, Docker, npm, PyPI, Helm and 9 more formats — in one self-hosted registry, forever free.

Quick Deploy Star on GitHub
Maven npm Docker PyPI Go Modules NuGet Helm Cargo Apt Yum Conan Raw Conda Terraform
14
Artifact Formats
465
Go Tests Passing
100%
Nexus API Compat
$0
License Fee
Migrate from Nexus
Stream all repos, users, and artifacts from a live Nexus instance in one command. Pausable, conflict-safe.
Webhooks & Events
Async fire-and-forget delivery for artifact.published, artifact.deleted, repo.created, promotion.requested/approved and more. Slack, CI-CD, custom integrations.
OIDC / SSO Built-in
Keycloak, Google, Entra ID, Okta. JIT user provisioning, group-to-role mapping from IdP claims.
Cleanup Policies
Automated retention rules: max age, last-downloaded threshold, retain-N-versions. CRON scheduling.
S3-Compatible Storage
Route any repository to MinIO, AWS S3, Wasabi, or local filesystem. Per-repo blob store assignment.
Audit Log & CVE Scan
90-day audit trail with NDJSON streaming export. Trivy-powered Docker image scanning and OSV.dev for Maven/npm/PyPI/Cargo.
Staging & Promotion
Promotion rules with CEL path filters, scan pass gates, and manual approval. Bulk-promote from Browse. Webhook-driven approval workflow.
Content Replication
Push artifacts to remote Nexspence instances on cron schedule. AES-256-GCM credentials, per-asset diff, run history.
14 Formats

One registry for all your artifacts

Every format supports Hosted, Proxy, and Group types. One URL for your entire organization.

Maven
Maven
Maven 2/3
HostedProxyGroup
npm
npm
Registry v1
HostedProxyGroup
Docker
Docker
OCI Distrib. v2
HostedProxyGroup
PyPI
PyPI
Simple Index
HostedProxyGroup
Go
Go Modules
GOPROXY v2
HostedProxy
NuGet
NuGet
v2 OData / v3
HostedProxyGroup
Helm
Helm
Chart Repo
HostedProxy
Cargo
Cargo
Sparse Index
HostedProxy
Apt
Apt
Debian Packages
HostedProxy
Yum
Yum / RPM
repomd.xml
HostedProxy
Conan
Conan
Conan v1
HostedProxy
Raw
PUT/GET/DELETE
Hosted
Conda
Conda
channel / repodata
HostedProxy
Terraform
Terraform
Registry Mirror
HostedProxy
Clean Architecture

Handler → Service → Repository

No circular imports. All DB access through mockable interfaces. Plugin-style format handlers for each of the 14 formats.

Go
Go (Golang) + Gin
Backend · pgx · golang-migrate
Re
React + TypeScript
Vite · Zustand · React Query
PG
PostgreSQL + pgxpool
Database · goose migrations
S3
S3 / MinIO Blob Store
Local filesystem or any S3-compatible
Request Flow
HTTP / Router
GinRBACAuthMiddlewareAudit
Handlers
AuthHandlerComponentHandlerPromotionHandlerBackupHandler
Format Handlers
DockerMavennpmHelm+10
Services
RepositoryServicePromotionServiceReplicationServiceCleanupServiceWebhookService
Repository
ComponentRepoAssetRepoPromotionRepoAuditRepo
Storage
PostgreSQLLocalBlobStoreS3BlobStore
Security

Enterprise Auth — Zero Cost

OIDC SSO, LDAP, API tokens, JWT, and fine-grained RBAC with CEL content selectors — all built in.

OIDC / SSO Providers
Auth code + PKCE. AES-256-GCM sealed state cookie. JIT provisioning. Group-to-role mapping from IdP claims.
Keycloak
Google
Azure Entra
Okta
Authentication Methods
Multiple strategies in one middleware — no extra config per client type.
  • JWT Bearer tokens — short-lived, configurable max days
  • API Tokens nxs_* — SHA-256 hash only stored
  • HTTP Basic — username/password or API token as password
  • LDAP bind with JIT sync and admin role mapping
  • Anonymous read-through for public repos
RBAC + Content Selectors
CEL expression path-level scoping. Nexus-compatible privilege model.
UserRolePrivilegeContent Selector
format == "maven2" &&
path =~ "^/com/example/"
CVE Scanning + Audit Logs
Trivy-based Docker image scanning. 90-day audit trail with NDJSON export.
  • Scan on-demand via GET /api/v1/components/:id/scan
  • Results cached in component.extra JSON
  • Audit log: date/user filters, NDJSON streaming export
  • 90-day retention via monthly partition rotation
Install

Up and running in 2 minutes

Choose your deployment method. Docker Compose for a quick local start; Helm for production Kubernetes.

📦
Download the latest release
Pre-packaged with docker-compose.yml and config.yaml — unpack and run
GitHub Releases →
01
Unpack the release
Extract the archive: tar -xzf nexspence-v*.tar.gz && cd nexspence-*
02
Edit config.yaml
Change jwt_secret (min 32 chars) and admin_password — everything else works out of the box
03
Start and open
Auto-migrates on first start. Login at localhost:8081 — credentials: admin / admin123
shell
$ tar -xzf nexspence-v*.tar.gz $ cd nexspence-* $ # edit config.yaml — change jwt_secret and admin_password $ docker compose up -d # starts postgres + nexspence, auto-migrates on first run $ open http://localhost:8081 # login: admin / admin123
With MinIO — S3-compatible storage

MinIO is included in docker-compose.yml. Set the storage type via env var — MinIO API on port 9000, console on 9001.

shell
$ NEXSPENCE_STORAGE_DEFAULT_TYPE=s3 \ docker compose up -d # MinIO S3 API: http://localhost:9000 # MinIO console: http://localhost:9001 # minioadmin / minioadmin # Nexspence UI: http://localhost:8081
HA Cluster — High Availability

Uses docker-compose.ha.yml: 2 × Nexspence nodes, nginx load balancer (least_conn), Redis, MinIO, PostgreSQL.

shell
$ docker compose \ -f docker-compose.ha.yml \ up -d # 2 × Nexspence + nginx LB (least_conn) # + Redis + MinIO + PostgreSQL # Load balancer: http://localhost:8080
With Keycloak SSO

Starts a pre-configured Keycloak dev instance with the nexspence realm imported. "Sign in with Keycloak" appears on the login page.

shell
$ OIDC_ENABLED=true \ docker compose \ --profile keycloak \ up -d # Nexspence UI: http://localhost:8081 # login: admin / admin123 # Keycloak admin: http://localhost:8180 # login: admin / admin # Test SSO user: testuser / testpass # mapped to nx-admin role
View on GitHub
All releases & changelogs →
Requirements: Helm 3.x · Kubernetes ≥ 1.26. Image ghcr.io/nexspence-oss/nexspence is pulled automatically from GitHub Container Registry.
NETWORKING OPTION
shell — nginx ingress
$ helm install nexspence \ deploy/helm/nexspence \ -f deploy/helm/nexspence/values-examples/nginx.yaml \ --set config.jwtSecret="$(openssl rand -hex 32)" \ --set config.adminPassword="changeme" \ --namespace nexspence \ --create-namespace
Full Helm reference → All releases & changelogs →
Comparison

Nexspence vs Nexus OSS

Everything Nexus Pro charges for — included in Nexspence, free forever.

FeatureNexspenceNexus OSS
Price$0 foreverFree / $120/mo Pro
Nexus REST API v1100% compatibleNative
OIDC / SSOKeycloak, Google, Entra, OktaPro only
LDAP AuthenticationBuilt-inBuilt-in
Docker OCI v2Full specFull spec
S3 Blob StoreAny S3-compatiblePro only
Vulnerability ScanningTrivy (built-in)Pro add-on
WebhooksBuilt-in asyncPro only
Per-repo Export / ImportStreaming tar.gzAdmin UI
Go Modules (GOPROXY)NativeCommunity plugin
Cargo / ConanNativeNot supported
Audit Log NDJSON ExportBuilt-in streamingPro feature
Component TaggingYes (GIN index)Pro only
CEL Content SelectorsYesXPath / Regex
SAML 2.0 SSOBuilt-inPro only
High Availability (Redis + S3)Built-inPro only
Content ReplicationBuilt-in (cron, AES-GCM creds)Pro only
Staging & Build PromotionBuilt-in (CEL filter, approval)Pro only
Conda / Terraform RegistryNativeNot supported
Ready to replace Nexus?
One command streams all repos, users, and artifacts. 100% API compatible — zero client changes.
Star on GitHub Quick Deploy →