{"id":23492819,"url":"https://github.com/cybrota/whispr","last_synced_at":"2025-12-14T09:57:36.662Z","repository":{"id":258716933,"uuid":"873946095","full_name":"cybrota/whispr","owner":"cybrota","description":"A multi-vault secret injection tool for safely injecting secrets into app environment","archived":false,"fork":false,"pushed_at":"2025-10-27T06:46:11.000Z","size":439,"stargazers_count":130,"open_issues_count":16,"forks_count":3,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-11-28T01:49:21.480Z","etag":null,"topics":["aws-secrets-manager","azure-keyvault","command-line-tool","cybersecurity","developer-experience","devops-tools","devsecops","gcp-secrets-manager","hashicorp-vault","python","secure-coding","secure-software-development","security","security-tools"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cybrota.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"docs/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"docs/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-10-17T01:48:11.000Z","updated_at":"2025-11-03T08:49:49.000Z","dependencies_parsed_at":"2024-10-26T17:52:44.377Z","dependency_job_id":"4c8be8ad-8e10-4beb-9a71-878478878d14","html_url":"https://github.com/cybrota/whispr","commit_stats":null,"previous_names":["narenaryan/whispr","cybrota/whispr"],"tags_count":8,"template":false,"template_full_name":null,"purl":"pkg:github/cybrota/whispr","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cybrota%2Fwhispr","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cybrota%2Fwhispr/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cybrota%2Fwhispr/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cybrota%2Fwhispr/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cybrota","download_url":"https://codeload.github.com/cybrota/whispr/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cybrota%2Fwhispr/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":27725759,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-12-14T02:00:11.348Z","response_time":56,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws-secrets-manager","azure-keyvault","command-line-tool","cybersecurity","developer-experience","devops-tools","devsecops","gcp-secrets-manager","hashicorp-vault","python","secure-coding","secure-software-development","security","security-tools"],"created_at":"2024-12-25T02:02:21.115Z","updated_at":"2025-12-14T09:57:36.649Z","avatar_url":"https://github.com/cybrota.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# Whispr\n[![Downloads](https://static.pepy.tech/badge/whispr/month)](https://pepy.tech/project/whispr)\n[![Coverage Status](https://coveralls.io/repos/github/narenaryan/whispr/badge.svg)](https://coveralls.io/github/narenaryan/whispr)\n\n\u003cpicture width=\"500\"\u003e\n  \u003csource\n    width=\"100%\"\n    media=\"(prefers-color-scheme: dark)\"\n    src=\"https://github.com/cybrota/whispr/blob/main/logo.png\"\n    alt=\"Scarfer logo (dark)\"\n  /\u003e\n  \u003cimg\n    width=\"100%\"\n    src=\"https://github.com/cybrota/whispr/blob/main/logo.png\"\n    alt=\"Sharfer logo (light)\"\n  /\u003e\n\u003c/picture\u003e\n\nSafely inject secrets into your app's environment from your favorite secret vault (Ex: AWS Secrets Manager, Azure Key Vault etc.).\n\nWhispr uses keys (with empty values) specified in a `.env` file and fetches respective secrets from a vault, and sets them as environment variables before launching an application.\n\nInstall whispr easily with pip!\n\n```bash\npip install whispr\n```\n\nKey Features of Whispr:\n\n* **Safe Secret Injection**: Fetch and inject secrets from your desired vault using HTTPS, SSL encryption, strict CERT validation.\n* **Just In Time (JIT) Privilege**: Set environment variables for developers only when they're needed.\n* **Secure Development**: Eliminate plain-text secret storage and ensure a secure development process.\n* **Customizable Configurations**: Configure project-level settings to manage multiple secrets for multiple projects.\n* **No Custom Scripts Required**: Whispr eliminates the need for custom bash scripts or cloud CLI tools to manage secrets, making it easy to get started.\n* **Easy Installation**: Cross-platform installation with PyPi.\n* **Generate Random Sequences for key rotation**: Whispr can generate crypto-safe random sequences with a given length. Great for secret rotation.\n\nSupported Vault Technologies:\n\n1. AWS Secrets Manager\n2. AWS SSM Parameter Store\n3. Microsoft Azure Key Vault\n4. Google Cloud Secret Manager\n\n![Supported-vaults](https://github.com/narenaryan/whispr/raw/main/whispr-supported.png)\n\n\n# Why use Whispr ?\n\nThe MITRE ATT\u0026CK Framework Tactic 8 (Credential Access) suggests that adversaries can exploit plain-text secrets and sensitive information stored in files like `.env`. It is essential to avoid storing\nsensitive information in unencrypted files. To help developers, Whispr can safely fetch and inject secrets from a vault into the app environment or pass them as standard input just in time. This enables developers to securely manage\ncredentials and mitigate advisory exploitation tactics.\n\nIn simple terms, you can store your secrets in AWS Secrets Manager/Parameter Store, create an empty `.env` file with keys mapped to cloud vault secret, then inject those mapped secrets into your program's environment.\n\n# Getting Started\n\n## Installing Whispr\n\nTo get started with latest version of Whispr, simply run:\n\n```bash\npip install -U whispr\n```\n\n## Configuring Your Project\n\n**Step 1: Initialize Whispr**\n\nRun `whispr init \u003cvault_type\u003e` in your terminal to create a `whispr.yaml` file in your project root. This file will store your configuration settings.\n\nThe available vault types are: `aws`, `azure`, and `gcp`.\n\n**Example whispr.yaml contents (For: AWS):**\n```yaml\nenv_file: '.env'\nsecret_name: \u003cyour_secret\u003e\nvault: aws\ntype: secrets-manager\n```\nThis default configuration will inject fetched secrets into `os.environ` of main process.\n\nFor AWS SSM parameter store, the same config looks like this:\n```yaml\nenv_file: '.env'\nsecret_name: \u003cyour_secret\u003e\nvault: aws\ntype: parameter-store\n```\n\nIf your app instead want to receive secrets as STDIN arguments, use `no_env: true` field.\nThis is a secure way than default control but app now should parse arguments itself.\n\n```yaml\nenv_file: '.env'\nsecret_name: \u003cyour_secret\u003e\nvault: aws\ntype: parameter-store\nno_env: true # Setting true will send KEY1=VAL1 secret pairs as command args\n```\n\nSee [whispr.yaml.example](https://github.com/narenaryan/whispr/raw/main/whispr.yaml.example) for configuration related to other supported vault types.\n\n## Setting Up Your Injectable Secrets\n\n**Step 2: Create or Configure a Secret File**\n\nCreate a new `.env` file with empty values for your secret keys. For example:\n\n```bash\nPOSTGRES_USERNAME=\nPOSTGRES_PASSWORD=\n```\n\n**Note**: You can also control filename with `env_file` key in your `whispr.yaml`.\n\n**Step 3: Authenticating to Your Vault (Ex:AWS)**\n\n*   Authenticate to AWS using Short-term credentials.\n*   Alternatively, set temporary AWS credentials using a config file or environment variables.\n\n**Note**: Use respective authentication methods for other vaults.\n\n## Launch any Application using Whispr (Requires a configuration file: `whispr.yaml`)\nIn contrary to programmatic access, if you want to run a script/program do: `whispr run '\u003cyour_app_command_with_args\u003e'` (mind the single quotes around command) to inject your secrets before starting the subprocess.\n\nExamples:\n```bash\nwhispr run 'python main.py' # Inject secrets and run a Python program\nwhispr run 'node server.js --threads 4' # Inject secrets and run a Node.js express server\nwhispr run 'django manage.py runserver' # Inject secrets and start a Django server\nwhispr run '/bin/sh ./script.sh' # Inject secrets and run a custom bash script. Script should be permitted to execute\nwhispr run 'semgrep scan --pro' # Inject Semgrep App Token and scan current directory with Semgrep SAST tool.\n```\n\nWhispr comes with handy utilities like:\n\n1. Audit a secret from vault\n\n```sh\n# Also equivalent to whispr secret get --vault=aws --secret=my_secret --region=us-east-1\nwhispr secret get -v aws -s my_secret -r us-east-1\n```\n\n2. Generate a crypto-safe random sequences for rotated secrets\n\n```sh\n# Also equivalent to whispr secret gen-random --length=16 --exclude='*/^'\nwhispr secret gen-random -l 16 -e '*/^'\n```\n\n## Programmatic access of Whispr (Doesn't require a configuration file)\n\nInstead of using Whispr as an execution tool, a Python program can programmatically inject secrets from a vault and launch a sub-process:\n\n```bash\npip install whispr\n```\n\nThen from Python code you can import important functions like this:\n\n```py\nfrom whispr.utils.vault import fetch_secrets\nfrom whispr.utils.process import execute_command\n\n# Assuming there is a AWS parameter store secret with name: my/secret with JSON-like string with values:\n# '{\"MY_DB_PASSWORD\": \"random_string\"}'\n\nconfig = {\n  \"vault\": \"aws\",\n  \"secret_name\": \"my/secret\",\n  \"type\": \"parameter-store\"\n  \"region\": \"us-west-2\"\n}\n\nsecrets = fetch_secrets(config)\n\n# Create a subprocess of a shell command/app with secrets.\ncommand = \"printenv\"\n# Environment list will have MY_DB_PASSWORD=random_string\ncp = execute_command(command.split(), no_env=False, secrets=secrets) # cp is CompletedProcess object.\n\ncommand = \"sh script.sh\"\n# script.sh will have access to env var MY_DB_PASSWORD\n# The injected secrets are cleaned from environment after script execution\ncp = execute_command(command.split(), no_env=False, secrets=secrets) # cp is CompletedProcess object.\n```\n\nThat's it. This is a programmatic equivalent to the tool usage which allows programs to fetch secrets from vault at run time.\n\n## TODO\n\nSupport:\n\n* Bitwarden Vault\n* HashiCorp Vault\n* 1Password Vault\n* K8s secret patching\n* Container patching (docker)\n* Increased test coverage\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcybrota%2Fwhispr","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcybrota%2Fwhispr","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcybrota%2Fwhispr/lists"}