{"id":13836972,"url":"https://github.com/ejcx/passgo","last_synced_at":"2026-03-01T14:05:45.660Z","repository":{"id":54754622,"uuid":"54242799","full_name":"ejcx/passgo","owner":"ejcx","description":"Simple golang password manager.","archived":false,"fork":false,"pushed_at":"2023-03-27T20:33:22.000Z","size":108,"stargazers_count":525,"open_issues_count":9,"forks_count":42,"subscribers_count":18,"default_branch":"master","last_synced_at":"2025-07-10T21:23:08.428Z","etag":null,"topics":["golang","passgo","password-vault"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ejcx.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2016-03-19T02:15:32.000Z","updated_at":"2025-04-02T11:49:42.000Z","dependencies_parsed_at":"2024-04-12T13:11:05.736Z","dependency_job_id":null,"html_url":"https://github.com/ejcx/passgo","commit_stats":{"total_commits":61,"total_committers":16,"mean_commits":3.8125,"dds":0.7377049180327868,"last_synced_commit":"c32b02726efa7343880f201e827c24f1e59ce165"},"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/ejcx/passgo","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ejcx%2Fpassgo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ejcx%2Fpassgo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ejcx%2Fpassgo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ejcx%2Fpassgo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ejcx","download_url":"https://codeload.github.com/ejcx/passgo/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ejcx%2Fpassgo/sbom","scorecard":{"id":370349,"data":{"date":"2025-08-11","repo":{"name":"github.com/ejcx/passgo","commit":"c32b02726efa7343880f201e827c24f1e59ce165"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":1.9,"checks":[{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Code-Review","score":3,"reason":"Found 3/9 approved changesets -- score normalized to 3","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v2.0.0 not signed: https://api.github.com/repos/ejcx/passgo/releases/15745176","Warn: release artifact v2.0.0 does not have provenance: https://api.github.com/repos/ejcx/passgo/releases/15745176"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":0,"reason":"12 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2022-0209 / GHSA-r5c5-pr8j-pfp7","Warn: Project is vulnerable to: GO-2023-1992 / GHSA-x3jr-pf6g-c48f","Warn: Project is vulnerable to: GO-2022-0229 / GHSA-cjjc-xp8v-855w","Warn: Project is vulnerable to: GO-2020-0012 / GHSA-ffhg-7mh4-33c4","Warn: Project is vulnerable to: GO-2021-0227 / GHSA-3vm4-22fp-5rfm","Warn: Project is vulnerable to: GO-2022-0968 / GHSA-gwc9-m7rh-j2ww","Warn: Project is vulnerable to: GO-2021-0356 / GHSA-8c26-wmh5-6g9v","Warn: Project is vulnerable to: GO-2024-2961","Warn: Project is vulnerable to: GO-2023-2402 / GHSA-45x7-px36-x8w8","Warn: Project is vulnerable to: GO-2024-3321 / GHSA-v778-237x-gjrc","Warn: Project is vulnerable to: GO-2025-3487 / GHSA-hcg3-q754-cr77","Warn: Project is vulnerable to: GO-2022-0493 / GHSA-p782-xgp4-8hr8"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 27 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-18T12:47:48.314Z","repository_id":54754622,"created_at":"2025-08-18T12:47:48.314Z","updated_at":"2025-08-18T12:47:48.314Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29970546,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-01T13:32:00.443Z","status":"ssl_error","status_checked_at":"2026-03-01T13:32:00.084Z","response_time":124,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["golang","passgo","password-vault"],"created_at":"2024-08-04T15:00:58.402Z","updated_at":"2026-03-01T14:05:45.638Z","avatar_url":"https://github.com/ejcx.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"# passgo\nstores, retrieves, generates, and synchronizes passwords and files securely and is written in Go! It is inspired by https://passwordstore.org but has a few key differences. The most important difference is passgo is not GPG based. Instead it uses a master password to securely store your passwords. It also supports encrypting arbitrary files.\n\n\u003cimg style=\"max-width:400px\" src=\"https://i.imgur.com/hFXVr4t.gif\"\u003e\n\npassgo is meant to be secure enough that you can publicly post your vault. I've started publishing my passwords [here](https://github.com/ejcx/passwords.git).\n\n## Installation\n\n`passgo` requires Go version 1.11 or later.\n\n```bash\n(cd; GO111MODULE=on go install github.com/ejcx/passgo/v2)\n```\n\n## Getting started with passgo\n\nCreate a vault and specify the directory to store passwords in. You will be prompted for your master password:\n\n```bash\n$ passgo init\nPlease enter a strong master password:\n2019/02/23 16:54:31 Created directory to store passwords: ~/.passgo\n```\n\nFinally, to learn more you can either read about the commands listed in this README or run:\n\n```bash\npassgo help\n```\n\nThe `--help` argument can be used on any subcommand to describe it and see documentation or examples.\n\n## Configuring passgo\nThe `PASSGODIR` environment variable specifies the directory that your vault is in.\n\nI store my vault in the default location `~/.passgo`. All subcommands will respect this environment variable, including `init`\n\n\n## COMMANDS\n\n### Listing Passwords\n```\n$ passgo\n├──money\n|  └──mint.com\n└──another\n   └──another.com\n```\n\nThis basic command is used to print out the contents of your password vault. It doesn't require you to enter your master password.\n\n\n### Initializing Vault\n```\n$ passgo init\n```\nInit should only be run one time, before running any other command. It is used for generating your master public private keypair.\n\nBy default, passgo will create your password vault in the `.passgo` directory within your home directory. You can override this location using the `PASSGODIR` environment variable.\n\n\n\n### Inserting a password\n```\n$ passgo insert money/mint.com\nEnter password for money/mint.com: \n```\n\nInserting a password in to your vault is easy. If you wish to group multiple entries together, it can be accomplished by prepending a group name followed by a slash to the pass-name. \n\nHere we are adding mint.com to the password store within the money group.\n\n\n### Inserting a file\n```\n$ passgo insert money/budget.csv budget.csv\n```\n\nAdding a file works almost the same as insert. Instead it has an extra argument. The file that you want to add to your vault is the final argument. \n\n\n### Retrieving a password\n```\n$ passgo show money/mint.com\nEnter master password:\ndolladollabills$$1\n```\n\nShow is used to display a password in standard out.\n\n\t\n### Rename a password\n```\n$ passgo rename mney/mint.com\nEnter new site name for mney/mint.com: money/mint.com\n```\n\nIf a password is added with the wrong name it can be updated later. Here we rename our mint.com site after misspelling the group name.\n\n\n### Updating a password\n```\n$ passgo edit money/mint.com\nEnter new password for money/mint.com:\n```\n\nIf you want to securely update a password for an already existing site, the edit command is helpful.\n\n\n\n### Generating a password\n```\n$ passgo generate\n%L4^!s,Rry!}s:U\u003cQwliL{vQ\n\n$ passgo generate 8\n[;K6otS3\n```\n\npassgo can also create randomly generated passwords. The default length of passgo generated passwords is 24 characters. This length can be changed by passing an optional length to the generate subcommand.\n\n\n### Searching the vault\n```\n $ passgo find money\n └──money\n    └──mint.com\n\n $ passgo ls money\n └──money\n    └──mint.com\n```\n`find` and `ls` can both be used to search for all sites that contain a particular substring. It's good for printing out groups of sites as well. `passgo ls` is an alias of `passgo find`.\n\n\n### Deleting a vault entry\n```\n$ passgo\n├──bb\n|  └──ff\n├──something\n|  └──somethingelse.com\n└──twiinsen.com\n   └──bbbbb\n\n$ passgo remove bb/ff\n\n$ passgo\n├──something\n|  └──somethingelse.com\n└──twiinsen.com\n   └──bbbbb\n```\n\nremove is used for removing sites from the password vault. `passgo rm` is an alias of `passgo remove`.\n\n\n\n### Getting Help\n```\n$ passgo --help\n```\n\nAll subcommands support the `--help` flag.\n\n\n## CRYPTOGRAPHY DETAILS\n###### Password Store Initialization.\npassgo only uses AEADs for encrypting data. When `passgo init` is run, users are prompted for a master password. A random salt is generated and the master password along with the salt are passed to the Scrypt algorithm to generate a symmetric master key.\n\nA master public/private keypair is generated when `passgo init` is run. The symmetric master password is used to encrypt the master private key, while the master public key is left in plaintext.\n\n###### Generating Passwords.\nPassword generation takes place in the pc package by using the GeneratePassword function. GeneratePassword creates a random password by reading a large amount of randomness using the `func Read([]byte) (int, error)` function in the `crypto/rand` package.\n\nThe block of randomness is then read byte-by-byte. Printable characters that match the desired password specification (uppercase, lowercase, symbols, and digits) are then included in the generated password.\n\n###### Adding A Site.\nWhen a site is added to the password store, a new public private key pair is generated. The newly generated private key, the user's master public key, and a securely generated nonce are used to encrypt the sites data.\n\nThe encryption and key computation are done using the `golang.org/x/crypto/nacl/box` package which uses Curve25519, XSalsa20, and Poly1305 to encrypt and authenticate the site's data.\n\nAfter the site information is added, the site's generated private key is thrown away.\n\n## Threat model\nThe threat model of passgo assumes there are no attackers on your local machine. The passgo vault puts some level of trust in the remote git repository.\n\nAn evil git server could modify the public key of your vault. If the evil git server does this then passgo will tell you that the Vault integrity cannot be verified the next time you attempt to read a password.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fejcx%2Fpassgo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fejcx%2Fpassgo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fejcx%2Fpassgo/lists"}