{"id":28356256,"url":"https://github.com/benammann/git-secrets","last_synced_at":"2025-10-11T12:07:14.571Z","repository":{"id":41048654,"uuid":"471181185","full_name":"benammann/git-secrets","owner":"benammann","description":"a cli tool to manage and deploy configurations and secrets across multiple environments all stored inside your repository","archived":false,"fork":false,"pushed_at":"2022-12-23T15:12:27.000Z","size":12958,"stargazers_count":14,"open_issues_count":6,"forks_count":1,"subscribers_count":1,"default_branch":"dev-beta","last_synced_at":"2025-06-04T11:55:41.720Z","etag":null,"topics":["cli","continuous-delivery","decryption","devops","encryption","git","golang","k8s","kubernetes","rendering-engine","secret-management","secrets"],"latest_commit_sha":null,"homepage":"https://benammann.github.io/git-secrets","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/benammann.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":"license.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-03-18T00:06:03.000Z","updated_at":"2025-03-30T01:02:08.000Z","dependencies_parsed_at":"2023-01-30T19:00:47.863Z","dependency_job_id":null,"html_url":"https://github.com/benammann/git-secrets","commit_stats":null,"previous_names":[],"tags_count":18,"template":false,"template_full_name":null,"purl":"pkg:github/benammann/git-secrets","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/benammann%2Fgit-secrets","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/benammann%2Fgit-secrets/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/benammann%2Fgit-secrets/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/benammann%2Fgit-secrets/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/benammann","download_url":"https://codeload.github.com/benammann/git-secrets/tar.gz/refs/heads/dev-beta","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/benammann%2Fgit-secrets/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":261019843,"owners_count":23098036,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli","continuous-delivery","decryption","devops","encryption","git","golang","k8s","kubernetes","rendering-engine","secret-management","secrets"],"created_at":"2025-05-28T06:14:18.769Z","updated_at":"2025-10-11T12:07:14.564Z","avatar_url":"https://github.com/benammann.png","language":"Go","readme":"\u003cdiv align=\"center\"\u003e\n\u003ch2\u003eGit Secrets\u003c/h2\u003e\n\u003cp\u003ea cli tool to manage and deploy configurations and secrets across multiple environments all stored inside your repository.\u003cbr /\u003egit secrets is built to automate local tasks like setting up the project or deploying secrets manually.\u003c/p\u003e\n\u003cimg src=\"https://img.shields.io/github/v/release/benammann/git-secrets\" /\u003e\n\u003cimg src=\"https://img.shields.io/docker/v/benammann/git-secrets?label=image\" /\u003e\n\u003cimg src=\"https://github.com/benammann/git-secrets/actions/workflows/goreleaser.yml/badge.svg\" /\u003e\n\u003cimg src=\"https://github.com/benammann/git-secrets/actions/workflows/docker-release.yml/badge.svg\" /\u003e\n\u003ca href='https://coveralls.io/github/benammann/git-secrets?branch=dev-beta'\u003e\u003cimg src='https://coveralls.io/repos/github/benammann/git-secrets/badge.svg?branch=dev-beta' alt='Coverage Status' /\u003e\u003c/a\u003e\n\u003cimg src=\"https://img.shields.io/github/downloads/benammann/git-secrets/total\" /\u003e\n\u003cimg src=\"https://img.shields.io/github/license/benammann/git-secrets\" /\u003e\n\u003cbr/\u003e\n\u003cbr/\u003e\n\u003c/div\u003e\n\n\n\n* [Features](#features)\n* [How does it work](#how-does-it-work)\n* [Demo](#demo)\n* [Examples](#examples)\n* [Installation](#installation)\n- [Getting started](#getting-started)\n  * [Initialize the project](#initialize-the-project)\n  * [Encode a secret and add a config entry](#encode-a-secret-and-add-a-config-entry)\n  * [Decode the secrets and get the config entry](#decode-the-secrets-and-get-the-config-entry)\n  * [Create a `.env.dist` file](#create-a-envdist-file)\n  * [Scan for plain secrets](#scan-for-plain-secrets)\n  * [Custom Template Functions](#custom-template-functions)\n    + [Base64Encode](#base64encode)\n    + [GitConfig](#gitconfig)\n  * [Using Github-Actions](#using-github-actions)\n  * [Using Docker](#using-docker)\n- [Documentation](#documentation)\n  * [How the encryption is done](#how-the-encryption-is-done)\n    + [Named Secrets](#named-secrets)\n    + [Overwrite using CLI Args](#overwrite-using-cli-args)\n* [License](#license)\n\n### Features \n- Store secrets and configurations all in one place in your git repository\n- Render secrets and configurations to custom files (like .env, config or k8s files) using the go templating language (just like helm)\n- Manage multiple environments and inherit values from a default environment\n- Automatically scan your repository for leaked passwords using a git hook\n- Automatic configuration initialization and management using the CLI\n- Built for CI/CD (Docker / Github Actions)\n\n### How does it work\n\n- For each Project / Context you can use a **Encoder Secret** which is stored at `~/.git-secrets.yaml`\n- The **Encoder Secret** is used to encode your passwords which are then stored inside your git repositories `.git-secrets.json`\n- The encrypted secrets are then decoded and rendered using Go Web Templates like Helm for example. (https://gowebexamples.com/templates/)\n- Each project can have multiple contexts for example `default` and `prod`\n- Every custom context inherits from the `default` context, so you don't have to define values twice\n- You can use a different **Encoder Secret** in each context so the engineer can only access the secrets he should need\n\n### Demo\n\n![](docs/img/git-secrets-demo.gif)\n\n### Examples\n\n- Encoding / Decoding: [with-binary-example](examples/with-binary-example)\n- Kubernetes Secrets: [render-kubernetes-secret](examples/render-kubernetes-secret)\n- Github Actions [.github/workflows/docker-release.yml](.github/workflows/docker-release.yml)\n\n\n### Installation\n\n`Git-Secrets` is available on Linux, macOS and Windows platforms.\n\n* Binaries for Linux, Windows and Mac are available as tarballs in the [release](https://github.com/benammann/git-secrets/releases) page.\n\n\n* Via Curl for Linux and Mac (uses https://github.com/jpillora/installer)\n\n  ```shell\n  # without sudo\n  curl https://i.jpillora.com/benammann/git-secrets! | bash\n  \n  # using sudo (if mv fails)\n  curl https://i.jpillora.com/benammann/git-secrets!! | bash\n  ```\n\n* Via Homebrew for macOS or LinuxBrew for Linux\n\n   ```shell\n   brew install benammann/tap/git-secrets \n   ```\n\n* Via a GO install\n\n  ```shell\n  # NOTE: The dev version will be in effect!\n  go install github.com/benammann/git-secrets@latest\n  ```\n\n## Getting started\n\n### Initialize the project\nThe configuration is made in a json file called `.git-secrets.json` you can also specify a custom path using `-f \u003cpath-to-custom-file\u003e`\n\n```bash\n# Create a new global encoder secret (which you can later share with your team)\ngit secrets set global-secret mySecret --value $(pwgen -c 32 -n -s -y)\n\n# Get the value of the global encryption secret\ngit secrets get global-secret mySecret\n\n# Create a new .git-secrets.json\ngit secrets init\n\n# Get the initial information of the config file\ngit secrets info\n\n# Get the CLI's current version\ngit secrets version\n```\n\n### Encode a secret and add a config entry\n\nGit-Secrets allows you to store encrypted `Secrets` and plain `Configs` both are stored in `.git-secrets.json`\n\n```bash\n# Encode a value (uses interactive input)\ngit secrets set secret databasePassword\n\n# Write the value to a custom context\n# Add Context: git secrets add context dev\ngit secrets set secret databasePassword -c dev\n\n# Add a new config value\ngit secrets set config databaseHost db-host.svc.local\n\n# Write the config value to a custom context\n# Add Context: git secrets add context dev\ngit secrets set config databaseHost db-host.my-dev-db.svc -c dev\n```\n\n### Decode the secrets and get the config entry\n\n```bash\n# Get the decoded value\ngit secrets get secret databasePassword\n\n# Get the value stored in databaseHost\ngit secrets get config databaseHost\n```\n\n### Create a `.env.dist` file\n\nGit-Secrets allows you to render files using the `Secret` and `Config` values on the fly using gotemplates, just like Helm. For a syntax reference head over to https://gowebexamples.com/templates/\n\n````text\nDATABASE_HOST={{.Configs.databaseHost}}\nDATABASE_PASSWORD={{.Secrets.databasePassword}}\n````\n\nYou can have custom renderTargets to render files. For example `env` or `k8s`. You can than add multiple files to a renderTargets.\n\n````bash\n# always render empty.dist to .env\n# uses the targetName: env\ngit secrets add file empty.dist .env -t env\n\n# now execute the rendering process\n# this renders the empty.dist file to .env and fills out all variables using the default context\n# targetName: env\ngit secrets render env\n\n# prints all available variables\ngit secrets render env --debug\n\n# prints the rendered files to the console without actually writing the file\ngit secrets render env --dry-run\n\n# renders the files using the prod context\ngit secrets render env -c prod\n````\n\n### Scan for plain secrets\n\n`Git-Secrets` provides a simple command to scan for plain secrets in the project files.\n\n![](docs/img/git-secrets-scan-demo.png)\n\n````bash\n# scan all files added to git\ngit secrets scan -a\n\n# scan staged files only\ngit secrets scan\n\n# hint: add -v to show all the scanned file names\n````\n\nYou should use this command to setup a pre-commit git-hook in your project. You can use Husky (https://typicode.github.io/husky/#/) to automatically install and setup the hook.\n\n\n### Custom Template Functions\n\nGit Secrets extends the GoLang Templating engine by some useful functions\n\n#### Base64Encode\n\nThe Base64Encode function takes the first argument and encodes it as Base64. This allows you to render Kubernetes Secrets\n\n````yaml\n# Created by git-secrets\napiVersion: v1\ndata:\n  apiPassword: \"{{ Base64Encode .Secrets.applicationAPassword }}\"\nkind: Secret\nmetadata:\n  name: api-application-a\n  namespace: {{.Configs.namespace}}\ntype: Opaque\n````\n\n#### GitConfig\n\nGitConfig allows you to resolve git config values. For example if you want to render files individually to the developer\n\n````text\nGIT_NAME={{GitConfig \"user.name\"}}\nGIT_EMAIL={{GitConfig \"user.email\"}}\n````\n### Using Github-Actions\n\nThere is a github-action available to easily decode secrets in your CI/CD Pipeline: https://github.com/marketplace/actions/decrypt-secret\n\nExample Usage\n\n````yaml\n- name: Decrypt Secret Value\n  id: test_secret\n  uses: benammann/git-secrets-get-secret-action@v1\n  with:\n    name: testSecret\n    decryptSecretName: getsecretactionpublic\n    decryptSecretValue: ${{ secrets.GET_SECRET_ACTION_PUBLIC_SECRET }}\n- name: Echo the output\n  run: echo \"${{ steps.test_secret.outputs.value }}\"\n````\n\n### Using Docker\n\nThere is also a Docker Image available: `benammann/git-secrets`.\n\nSince git-secrets normally depends on a global `.git-secrets.yaml` you need to use the `--secret` parameter to pass the encryption secret using cli.\nYou also need to mount the project's `.git-secrets.json` file using docker volume mounts.\n\n````bash\n# just execute the help command\ndocker run benamnann/git-secrets help\n\n# get all the information about the .git-secrets.json file\ndocker run \\\n  # mount .git-secrets.json to /git-secrets/.git-secrets.json\n  -v $PWD/.git-secrets.json:/git-secrets/.git-secrets.json \\\n  # use the official docker image\n  benammann/git-secrets \\\n  # execute the info command\n  info\n  \ndocker run \\\n  # mount .git-secrets.json to /git-secrets/.git-secrets.json\n  -v $PWD/.git-secrets.json:/git-secrets/.git-secrets.json \\\n  # use the official docker image\n  benammann/git-secrets \\\n  # pass the encryption secret 'gitsecretspublic' including it's value from an local Environment variable to docker\n  --secret gitsecretspublic=${SECRET_VALUE} \\\n  # decrypt the secret crToken\n  get secret crToken \n````\n\n## Documentation\n\n### How the encryption is done\n\nGit-Secrets uses AES-256 to encrypt / decrypt the secrets. Read more about it here [Advanced Encryption Standard](https://de.wikipedia.org/wiki/Advanced_Encryption_Standard).\n\nThe encryption key is stored outside your git repository and can be referenced using multiple methods\n\nThe implementation can be found here [engine_aes.go](pkg/encryption/engine_aes.go).\n\n#### Named Secrets\nNamed secrets are stored in `~/.git-secrets.yaml` and have a name. You can than reference it using the `context.decryptSecret.fromName` key.\n\n````\n\"decryptSecret\": {\n    \"fromName\": \"withbinaryexample\"\n},\n````\n\nYou can define a `decryptSecret` in each context to for example encrypt the production secrets using a different encryption key. This can be useful to not let your developers know the CI/CD Secrets.\n\nThe CLI provides multiple ways how to configure and manage your global secrets.\n```bash\n# Generate via pwgen and read from stdin\ngit secrets set global-secret mySecret --value $(pwgen -c 32 -n -s -y)\n\n# Set manually using interactive input\ngit secrets set global-secret mySecret\n\n# Get the written secret\ngit secrets get global-secret mySecret\n\n# Get all global secret names\ngit secrets get global-secrets\n```\n\n#### Overwrite using CLI Args\n\nIn case you don't want to store the secrets globally and on the disk you can also use the following cli args to inject the secrets at runtime\n\n```bash\n# Uses the secret passed via --secret (insecure)\ngit secrets get secret mySecret --secret secretName=$(SECRET_VALUE) --secret secretName1=$(SECRET_VALUE_1)\n```\n\n# License\n\nThe scripts and documentation in this project are released under the [MIT License](LICENSE)","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbenammann%2Fgit-secrets","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbenammann%2Fgit-secrets","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbenammann%2Fgit-secrets/lists"}