{"id":19112516,"url":"https://github.com/abourget/secrets-bridge","last_synced_at":"2025-06-30T21:07:14.960Z","repository":{"id":57526880,"uuid":"80393655","full_name":"abourget/secrets-bridge","owner":"abourget","description":"Secrets bridge - Secure build-time secrets injection for Docker","archived":false,"fork":false,"pushed_at":"2017-07-13T15:28:31.000Z","size":1013,"stargazers_count":48,"open_issues_count":2,"forks_count":5,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-30T22:14:08.012Z","etag":null,"topics":["docker","golang","security","ssh-agent"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/abourget.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-01-30T04:30:53.000Z","updated_at":"2024-07-03T08:45:58.000Z","dependencies_parsed_at":"2022-09-07T03:50:57.115Z","dependency_job_id":null,"html_url":"https://github.com/abourget/secrets-bridge","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/abourget/secrets-bridge","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abourget%2Fsecrets-bridge","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abourget%2Fsecrets-bridge/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abourget%2Fsecrets-bridge/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abourget%2Fsecrets-bridge/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/abourget","download_url":"https://codeload.github.com/abourget/secrets-bridge/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abourget%2Fsecrets-bridge/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262850264,"owners_count":23374355,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","golang","security","ssh-agent"],"created_at":"2024-11-09T04:33:18.441Z","updated_at":"2025-06-30T21:07:14.932Z","avatar_url":"https://github.com/abourget.png","language":"Go","readme":"Secrets bridge - Secure build-time secrets injection for Docker\n===============================================================\n\nDocker does not support build-time secrets, and this is a pain for any\n`npm install`, gem installs, or whatever private repositories or\nauthenticated endpoints you need to contact during `docker build`\nruns.\n\nAlso, you never want to have your credentials snapshotted in your\nDocker image.\n\n* It serves secrets defined on the host, either on the command-line or\n  loaded from files.\n* It acts as an SSH-Agent proxy, but secured through TLS, with\n  temporary and auto-generated keypairs.\n\n## Basic usage\n\nServes the SSH Agent securely over the bridge. Prints the bridge config to stdout, so you can bring it to the other node by **copy \u0026 pasting**:\n\n    secrets-bridge serve -A\n\nExecute `yarn` (or `npm install` or whatever) and leverage the SSH Agent from the remote host automatically:\n\n    secrets-bridge exec -c [pasted-base64-configuration-from-host-a] yarn\n\nServe only the secret `key`, no SSH Agent forwarding:\n\n    secrets-bridge serve --secret key=value\n\nServe `key1` taking its value from `filename1` and serve `filename2` as key `filename2`:\n\n    secrets-bridge serve --secret-from-file key1=filename1 --secret-from-file filename2\n\nPrints out secret `key`. This will use the default bridge configuration file at `~/.bridge-conf` (unless you specify an explicit config as b64 with `-c`):\n\n    secrets-bridge print key\n\nExecute `my-command.sh` with the env var `THE_VALUE` set to the value of the secret `key`:\n\n    secrets-bridge exec -e THE_VALUE=key -- my-command.sh\n\nThis one prints the secret but encodes it to base64 first (see below for other variations):\n\n    secrets-bridge print b64:key\n\nYou can also serve a secret that is already base64 encoded, as plain-text:\n\n    secrets-bridge serve -w --secret b64:key=aGVsbG8td29ybGQK\n    ...\n    secrets-bridge print key\n    hello-world\n\n## Daemonization\n\nYou can start `serve` as a daemon with:\n\n    secrets-bridge serve -d daemon.log -A -w -f bridge-conf\n\nThis will daemonize and log outputs to `daemon.log` (with `-d`), it\nwill enable SSH-Agent forwarding (`-A`), write (`-w`) the bridge\nconfig to `bridge-conf` (with `-f`).\n\nYou can then kill that instance with:\n\n    secrets-bridge kill -c $(cat bridge-conf)\n\nEt hop!\n\n\n## Usage with Docker\n\nThe _secrets bridge_ allows you to run a tiny server on your host as such:\n\n    secrets-bridge serve -d daemon.log\n                         -f ./bridge-conf -w \\\n                         --ssh-agent-forwarder \\\n                         --secret key=value \\\n                         --secret-from-file key2=filename \\\n                         --timeout=300\n\nand then, with a `Dockerfile` similar to this:\n\n    RUN wget https://github.com/.../releases/.../secrets-bridge\n    ARG BRIDGE_CONF\n    RUN secrets-bridge -c ${BRIDGE_CONF} test\n    RUN secrets-bridge -c ${BRIDGE_CONF} exec -- npm install\n    RUN secrets-bridge -c ${BRIDGE_CONF} exec -e SECRET=key -- ./do_sensitive_things.sh\n\nrun `docker build`:\n\n    docker build --build-args BRIDGE_CONF=`cat bridge-conf` -t image/tag123 .\n\nand, on the host, finish with:\n\n    secrets-bridge kill -c `cat bridge-conf`\n\nto terminate the server.\n\n## Manual usage\n\nWith a bridge configuration (in base64), you can also:\n\n    secrets-bridge serve -w -A\n\ncopy your `~/.bridge-conf` to the other location's `~/.bridge-conf` and then run:\n\n    secrets-bridge exec ssh gcloud\n\nover there.\n\n\n## Base64 encoding\n\nOn-the-fly base64 encoding **and** decoding of secrets.\n\nPrefix secrets with:\n\n  * `b64:` for standard base64-\n  * `b64u:` for URL-safe base64 codec.\n  * `rb64:` for padding-less standard base64 codec.\n  * `rb64u:` for padding-less URL-safe base64 codec.\n\nSecrets are binary-safe and support multi-line files.\n\n\n## SSH-Agent forwarding\n\nThe `client` sets the `SSH_AUTH_SOCK` environment variable when\ncalling the sub-processes, and transparently passes that through the\nbridge, so the SSH-Agent on the host machine can serve the signing\nrequests.\n\n\n## The `bridge-conf` file\n\nThe `bridge-conf` file contains a gzipped, base64-encoded version of:\n\n    {\"endpoints\": [\"https://127.0.0.1:12345\", \"https://192.168.0.6:12345\", \"https://172.17.0.1:12345\", \"https://192.168.99.1:12345\"],\n     \"cacert\": \"------ BEGIN CERTIFICATE -----\\n...\",\n     \"client_cert\": \"----- BEGIN CERTIFICATE -----\\n...\",\n     \"client_key\": \"----- BEGIN RSA PRIVATE KEY -----\\n...\"}\n\nIt allows the `secrets-bridge` inside the build-time container,\nto communicate with the host, authenticate with the secrets server\nand obtain credentials that were passed on the command line.\n\nAll of the information in this file is temporary and will vanish once\nthe server terminates. A self-signed CA and client cert/key pair is\ngenerated on each `serve` runs.\n\nYou can elect to RE-USE a CA and set of keys in a subsequent run with\n`--ca-key-store`. NOTE THAT this lessens the security, as it makes the\nkeys less \"throw-away\", making them more appealing to steal.\n\n\n# Installation - from GitHub Releases\n\nGrab a file here and `chmod +x` it if on Linux/Darwin:\n\nhttps://github.com/abourget/secrets-bridge/releases\n\n# Installation - from source\n\nDownload and install [https://golang.org/dl](Golang).  Install with:\n\n```\ngo get github.com/abourget/secrets-bridge\n```\n\nThis will build the `secrets-bridge` binary.  You will need a Linux\namd64 version for inside the containers.\n\n# Alternatives\n\nSee https://github.com/defunctzombie/docket for another approach (hacking through the image layers to make private files available at build time, but not keep them in).\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fabourget%2Fsecrets-bridge","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fabourget%2Fsecrets-bridge","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fabourget%2Fsecrets-bridge/lists"}