SpaceX publishes Grok Build code after repository upload backlash
SpaceX released Grok Build’s CLI code on GitHub after researchers said the tool uploaded users’ repositories to company-controlled cloud storage.
By Renata Fuchs · Policy Reporter
· 3 min read
SpaceX has published the Grok Build CLI as open source after researchers reported that the AI coding tool was uploading users’ full repositories to company-controlled Google Cloud storage. The release is an attempt to restore developer trust after a privacy issue that cuts directly into how AI coding tools handle proprietary code.
Cereblab first publicized the behavior on Sunday after examining Grok Build traffic. According to the research group, the tool bundled repositories as Git Bundles and sent them to cloud storage controlled by the company. The finding drew enough attention that Elon Musk and SpaceX publicly said the company would delete previously stored Grok Build data and give users more control over retention.
On Wednesday, SpaceX followed through on the open-source portion of that response, posting the Grok Build CLI code on GitHub and saying it had reset usage limits for all users. The repository was released as a single commit, which means outside developers can inspect the current code but cannot review earlier commit history, pull requests or the sequence of changes made before publication.
What changed in the code
Simon Willison, creator of Datasette and co-creator of Django, said the released Grok Build codebase contains 844,530 lines of Rust. Willison said the code path related to sending repositories to the cloud is still present, but appears to have been changed so the behavior is reversed.
That detail matters for teams evaluating whether open sourcing the CLI answers the privacy concern. A current code dump can show what the tool does now. It does not, by itself, show what ran in earlier versions, who changed it, or when those changes were made.
SpaceX said Grok Build has respected zero data retention, or ZDR, since launch for customers with that setting. The company also acknowledged that retention had been enabled by default for users outside ZDR, while adding that users could disable uploads in the CLI and that the choice was honored when selected.
The company said it disabled default retention for all Grok Build users starting July 12 and is deleting coding data that had previously been retained. SpaceX said users can run Grok Build in a local-first configuration with their own inference, though it did not disclose how many users were affected by the earlier default or how much repository data had been stored.
Security review shifts to the community
SpaceX has also asked outside researchers to test Grok Build and report issues through its bug bounty program. The company said rewards range from $100 to $20,000, depending on severity.
The episode is a reminder that AI coding tools are now being judged on data handling as much as model performance. For startups and engineering organizations, repository upload defaults are not a minor product setting: they can determine whether a tool is allowed anywhere near private code. SpaceX’s response gives developers more code to inspect, but the missing project history and undisclosed scale of retained data leave the company still asking users to accept parts of its account on trust.
This story draws on original reporting from The Register.