{"id":18960259,"url":"https://github.com/dopplerhq/gitops-secrets-nodejs","last_synced_at":"2025-09-11T23:44:14.954Z","repository":{"id":37459084,"uuid":"463203505","full_name":"DopplerHQ/gitops-secrets-nodejs","owner":"DopplerHQ","description":"GitOps encrypted secrets workflow for Node.js","archived":false,"fork":false,"pushed_at":"2024-06-24T15:53:38.000Z","size":290,"stargazers_count":26,"open_issues_count":6,"forks_count":7,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-08-13T11:57:24.604Z","etag":null,"topics":["secret-management","secrets","secrets-management","secrets-manager","security"],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DopplerHQ.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-02-24T15:38:44.000Z","updated_at":"2024-08-19T16:48:01.000Z","dependencies_parsed_at":"2024-06-19T05:25:48.309Z","dependency_job_id":"86b5bb86-f9e1-4f71-b91f-5b49457baaf8","html_url":"https://github.com/DopplerHQ/gitops-secrets-nodejs","commit_stats":{"total_commits":33,"total_committers":5,"mean_commits":6.6,"dds":0.303030303030303,"last_synced_commit":"c5bf19710bd1fb382affa95d4bc77d20b5563feb"},"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/DopplerHQ/gitops-secrets-nodejs","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DopplerHQ%2Fgitops-secrets-nodejs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DopplerHQ%2Fgitops-secrets-nodejs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DopplerHQ%2Fgitops-secrets-nodejs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DopplerHQ%2Fgitops-secrets-nodejs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DopplerHQ","download_url":"https://codeload.github.com/DopplerHQ/gitops-secrets-nodejs/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DopplerHQ%2Fgitops-secrets-nodejs/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":274727713,"owners_count":25338400,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-11T02:00:13.660Z","response_time":74,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["secret-management","secrets","secrets-management","secrets-manager","security"],"created_at":"2024-11-08T14:05:03.318Z","updated_at":"2025-09-11T23:44:14.926Z","avatar_url":"https://github.com/DopplerHQ.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# GitOps Secrets\n\nA SecretOps workflow for bundling encrypted secrets into your deployments.\n\n![GitOps SecretsDiagram](https://user-images.githubusercontent.com/133014/158977309-ce9efc17-ba94-4cb7-a7a4-bdb101a67e6d.jpg)\n\n## Usage\n\n1. Install the `gitops-secrets` package:\n\n```sh\nnpm install gitops-secrets\n```\n\n2. Bundle encrypted secrets into your build\n\n```js\n// ./bin/encrypt-secrets.js\nconst secrets = require(\"gitops-secrets\");\n\nasync function main() {\n  const payload = await secrets.providers.doppler.fetch();\n  secrets.build(payload);\n}\n\nmain();\n```\n\n```js\n// package.json\n{\n  \"scripts: {\n    ...\n    \"encrypt-secrets\": \"node ./bin/encrypt-secrets.js\"\n  }\n}\n```\n\n3. Decrypt secrets at runtime\n\n```js\nconst { loadSecrets } = require(\"gitops-secrets\");\nconst secrets = loadSecrets();\n```\n\n## Background and Motivation\n\nExceeding AWS Lambda's 4KB environment variable limit is a common problem that also impacts platforms such as [Vercel](https://vercel.com/support/articles/how-do-i-workaround-vercel-s-4-kb-environment-variables-limit) and the [Serverless framework](https://www.serverless.com/framework/docs/providers/aws/guide/variables) which deploy on top of AWS Lambda.\n\nA SecretOps workflow that bundles encrypted secrets into a deployment eliminates such environment variable limits without insecure hacks such as storing unencrypted .env files in your builds.\n\nAs creators of the [Doppler SecretOps Platform](https://www.doppler.com/) which provide secrets sync integrations for [Vercel](https://vercel.com/integrations/doppler) and [Serverless](https://docs.doppler.com/docs/enclave-installation-serverless), we built this to provide a secure solution for our customers and the open source community.\n\nOur goal was to design a new way of accessing secrets in production that:\n\n- Allowed for a secrets payload of any size\n- Could be up and running in minutes\n- Scaled to work in any environment, including local development\n- Could support the most restrictive serverless platforms\n- Provided first-class support for ES modules\n- Prevented unencrypted secrets from ever touching the file system\n- Abstracted away the complexity of secrets fetching using community-contributed [providers](./src/providers/)\n\n## Providers\n\nA provider is designed to abstract away the complexities of fetching secrets from any secret manager or secrets store by exposing a single async `fetch` method.\n\nA secrets provider returns a plain Key-Value Object to ensure that serializing to and from JSON during encryption and decryption produces the same object structure initially fetched from the provider.\n\nThe current list of providers are:\n\n- [Doppler](./src/providers/doppler.js)\n\nWe'd love to see the list of providers grow! Please see our [contributing guide](CONTRIBUTING.md) to get started.\n\n## Encryption and Decryption\n\nThere are two file formats available for bundling encrypted secrets into your deployments:\n\n- **JSON**: Encrypted JSON file.\n- **JS Module**: Encrypted JSON embedded in JS module.\n\n### JSON\n\nTo encrypt secrets to a JSON file:\n\n```js\nconst secrets = require(\"gitops-secrets\");\n\nasync function main() {\n  const payload = await secrets.providers.doppler.fetch();\n\n  // Internally managed storage\n  secrets.encryptToFile(payload);\n\n  // Custom path\n  secrets.encryptToFile(payload, { path: \".secrets.enc.json\" });\n}\n\nmain();\n```\n\nTo decrypt secrets from a JSON file:\n\n```js\nconst { decryptFromFile } = require(\"gitops-secrets\");\n\n// Internally managed storage\nconst secrets = decryptFromFile();\n\n// Custom Path\nconst secrets = decryptFromFile(\".secrets.enc.json\");\n\n// Optionally merge secrets into environment variables\nsecrets.populateEnv();\n```\n\n### JS Module\n\nThe JS module format is ideal for restricted environments such as Vercel where application-wide access to reading static files is problematic.\n\nDepending upon the deployment platform and framework, you can potentially omit the `path` parameter to have encrypted secrets access and storage managed internally for you.\n\nBut if using Vercel with Next.js for example, the `path` configures the module to be output in your codebase with the format of the module matching that of your application.\n\nTo encrypt secrets to a JS module:\n\n```js\nconst secrets = require(\"gitops-secrets\");\n\nasync function main() {\n  const payload = await secrets.providers.doppler.fetch();\n\n  // Option 1: Internally managed storage\n  secrets.build(payload);\n\n  // Option 2: Custom path for restrictive environments\n  secrets.build(payload, { path: \"lib/secrets.js\" });\n}\n\nmain();\n```\n\nTo decrypt secrets from a JS module using internally managed storage, use the package-level `loadSecrets` method:\n\n```js\nconst { loadSecrets } = require(\"gitops-secrets\");\n\nconst secrets = loadSecrets();\n\n// Optionally merge secrets into environment variables\nsecrets.populateEnv();\n```\n\nOr use the `loadSecrets` method from the generated module (ES modules also supported):\n\n```js\nconst { loadSecrets } = require(\"../lib/secrets\");\nconst secrets = loadSecrets();\n\n// Optionally merge secrets into environment variables\nsecrets.populateEnv();\n```\n\n## Getting Started\n\nWe recommend checking out the [Working around Vercel's 4KB Environment Variables Limit for Node.js with GitOps Secrets](https://hashnode.com/preview/623404babef4c71aa6f0d65e) blog post which guides you through the entire process.\n\nOr take a look at the [Vercel GitOps Secrets Next.js sample repository](https://github.com/DopplerUniversity/vercel-gitops-secrets-nextjs) to see a complete working example that you can test and deploy to Vercel.\n\n## Support\n\nYou can get support in the [Doppler community forum](https://community.doppler.com/), find us on [Twitter](https://twitter.com/doppler), and for bugs or feature requests, [create an issue](https://github.com/DopplerHQ/gitops-secrets-nodejs/issues) on the [DopplerHQ/gitops-secrets-nodejs](https://github.com/DopplerHQ/gitops-secrets-nodejs) GitHub repository.\n\nWe'd also love to see the number of providers grow, and you can check out our [contributing guide](CONTRIBUTING.md) to get started.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdopplerhq%2Fgitops-secrets-nodejs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdopplerhq%2Fgitops-secrets-nodejs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdopplerhq%2Fgitops-secrets-nodejs/lists"}