{"id":15044561,"url":"https://github.com/elastic/harp","last_synced_at":"2025-10-09T15:36:23.495Z","repository":{"id":37983331,"uuid":"315900405","full_name":"elastic/harp","owner":"elastic","description":"Secret management by contract toolchain ","archived":false,"fork":false,"pushed_at":"2025-09-29T04:21:42.000Z","size":5491,"stargazers_count":152,"open_issues_count":11,"forks_count":20,"subscribers_count":8,"default_branch":"main","last_synced_at":"2025-10-06T00:34:40.276Z","etag":null,"topics":["cloud","cloud-security","cloud-storage","consul","encryption","etcdv3","gitops","golang","golang-library","kubernetes","kv-store","paseto","pipeline","rego","secret-management","secret-storage","unix-command","vault","yaml","zookeeper"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/elastic.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-11-25T10:11:02.000Z","updated_at":"2025-09-06T12:57:56.000Z","dependencies_parsed_at":"2025-01-10T20:13:42.973Z","dependency_job_id":"de9d24d5-cbf2-4cb5-961c-3e6c1b53b71e","html_url":"https://github.com/elastic/harp","commit_stats":{"total_commits":308,"total_committers":5,"mean_commits":61.6,"dds":0.577922077922078,"last_synced_commit":"31d6f5f9888f4ae486d2c5978b1dbfadb370ab66"},"previous_names":[],"tags_count":76,"template":false,"template_full_name":null,"purl":"pkg:github/elastic/harp","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elastic%2Fharp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elastic%2Fharp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elastic%2Fharp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elastic%2Fharp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/elastic","download_url":"https://codeload.github.com/elastic/harp/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elastic%2Fharp/sbom","scorecard":{"id":371257,"data":{"date":"2025-08-11","repo":{"name":"github.com/elastic/harp","commit":"9cc631d7cf489933a15dad1d3b55647c67bcac30"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5.7,"checks":[{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"1 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:24","Info: jobLevel 'packages' permission set to 'read': .github/workflows/releaser.yml:18","Info: jobLevel 'contents' permission set to 'read': .github/workflows/security.yml:40","Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/security.yml:42","Info: jobLevel 'contents' permission set to 'read': .github/workflows/security.yml:96","Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/security.yml:98","Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1","Warn: topLevel 'packages' permission set to 'write': .github/workflows/docker.yml:11","Warn: no topLevel permission defined: .github/workflows/go.yml:1","Warn: no topLevel permission defined: .github/workflows/releaser.yml:1","Warn: no topLevel permission defined: .github/workflows/security.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":3,"reason":"binaries present in source code","details":["Warn: binary detected: samples/oci-crate/postgres.bundle:1","Warn: binary detected: test/fixtures/bundles/100k.bundle:1","Warn: binary detected: test/fixtures/bundles/10k.bundle:1","Warn: binary detected: test/fixtures/bundles/1k.bundle:1","Warn: binary detected: test/fixtures/bundles/complete.aes-gcm.bundle:1","Warn: binary detected: test/fixtures/bundles/complete.bundle:1","Warn: binary detected: test/fixtures/bundles/empty.bundle:1"],"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Fuzzing","score":10,"reason":"project is fuzzed","details":["Info: GoBuiltInFuzzer integration found: test/fuzz/bundle/loader/fuzz_test.go:47","Info: GoBuiltInFuzzer integration found: test/fuzz/template/fuzz_test.go:47"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Pinned-Dependencies","score":3,"reason":"dependency not pinned by hash detected -- score normalized to 3","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:56: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docker.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/docker.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/docker.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/docker.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/docker.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/docker.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/docker.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/docker.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/docker.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:107: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/go.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:110: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/go.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:115: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/go.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:140: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/go.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:143: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/go.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:148: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/go.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:173: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/go.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:176: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/go.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:181: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/go.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/go.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/go.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/go.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/go.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/go.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:87: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/go.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:90: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/go.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/releaser.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/releaser.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/releaser.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/releaser.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/releaser.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/releaser.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/releaser.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/releaser.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/releaser.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/releaser.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/security.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/security.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/security.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/security.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:102: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/security.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:116: update your workflow using https://app.stepsecurity.io/secureworkflow/elastic/harp/security.yml/main?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:3","Warn: containerImage not pinned by hash: Dockerfile:28: pin your Docker image by updating alpine:3 to alpine:3@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","Info:   0 out of  30 GitHub-owned GitHubAction dependencies pinned","Info:   9 out of  18 third-party GitHubAction dependencies pinned","Info:   0 out of   2 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/releaser.yml:15"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Signed-Releases","score":8,"reason":"3 out of the last 3 releases have a total of 3 signed artifacts.","details":["Info: signed release artifact: checksums.txt.sig: https://github.com/elastic/harp/releases/tag/v0.2.12","Info: signed release artifact: checksums.txt.sig: https://github.com/elastic/harp/releases/tag/v0.2.10","Info: signed release artifact: checksums.txt.sig: https://github.com/elastic/harp/releases/tag/v0.2.8","Warn: release artifact v0.2.12 does not have provenance: https://api.github.com/repos/elastic/harp/releases/215890373","Warn: release artifact v0.2.10 does not have provenance: https://api.github.com/repos/elastic/harp/releases/61708356","Warn: release artifact v0.2.8 does not have provenance: https://api.github.com/repos/elastic/harp/releases/60567413"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":5,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Warn: 'branch protection settings apply to administrators' is disabled on branch 'main'","Warn: 'stale review dismissal' is disabled on branch 'main'","Warn: required approving review count is 1 on branch 'main'","Info: codeowner review is required on branch 'main'","Warn: 'last push approval' is disabled on branch 'main'","Warn: no status checks found to merge onto branch 'main'","Info: PRs are required in order to make changes on branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":0,"reason":"11 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2025-3829","Warn: Project is vulnerable to: GO-2025-3485 / GHSA-c6gw-w398-hv78","Warn: Project is vulnerable to: GO-2025-3787 / GHSA-fv92-fjc5-jj9h","Warn: Project is vulnerable to: GO-2025-3660 / GHSA-6m8w-jc87-6cr7","Warn: Project is vulnerable to: GO-2024-2631 / GHSA-c5q2-7r4c-mv6g","Warn: Project is vulnerable to: GO-2025-3487 / GHSA-hcg3-q754-cr77","Warn: Project is vulnerable to: GO-2025-3503 / GHSA-qxp5-gwg8-xv66","Warn: Project is vulnerable to: GO-2025-3595 / GHSA-vvgc-356p-c3xw","Warn: Project is vulnerable to: GO-2025-3754 / GHSA-2x5j-vhc8-9cwm","Warn: Project is vulnerable to: GO-2025-3367 / GHSA-r9px-m959-cxf4","Warn: Project is vulnerable to: GO-2025-3368 / GHSA-v725-9546-7q7m"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":8,"reason":"SAST tool detected but not run on all commits","details":["Info: SAST configuration detected: CodeQL","Warn: 17 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-18T13:01:21.087Z","repository_id":37983331,"created_at":"2025-08-18T13:01:21.087Z","updated_at":"2025-08-18T13:01:21.087Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279001646,"owners_count":26083147,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-09T02:00:07.460Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloud","cloud-security","cloud-storage","consul","encryption","etcdv3","gitops","golang","golang-library","kubernetes","kv-store","paseto","pipeline","rego","secret-management","secret-storage","unix-command","vault","yaml","zookeeper"],"created_at":"2024-09-24T20:50:43.446Z","updated_at":"2025-10-09T15:36:23.476Z","avatar_url":"https://github.com/elastic.png","language":"Go","readme":"[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)\n[![Go Report Card](https://goreportcard.com/badge/github.com/elastic/harp)](https://goreportcard.com/report/github.com/elastic/harp)\n[![made-with-Go](https://img.shields.io/badge/Made%20with-Go-1f425f.svg)](http://golang.org)\n[![GitHub release](https://img.shields.io/github/release/elastic/harp.svg)](https://github.com/elastic/harp/releases/)\n[![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg)](https://github.com/elastic/harp/graphs/commit-activity)\n\n- [Harp](#harp)\n  - [TL;DR.](#tldr)\n  - [Visual overview](#visual-overview)\n  - [Why harp?](#why-harp)\n  - [Use cases](#use-cases)\n  - [How does it work?](#how-does-it-work)\n    - [Like a Data pipeline but for secret](#like-a-data-pipeline-but-for-secret)\n    - [Immutable transformation](#immutable-transformation)\n  - [What can I do?](#what-can-i-do)\n  - [FAQ](#faq)\n  - [License](#license)\n- [Homebrew install](#homebrew-install)\n- [Build instructions](#build-instructions)\n  - [Clone repository](#clone-repository)\n  - [Manual dev environment](#manual-dev-environment)\n    - [Check your go version](#check-your-go-version)\n      - [Go 1.17/1.16](#go-117116)\n      - [Go 1.18 (beta)](#go-118-beta)\n    - [Install mage](#install-mage)\n      - [From source](#from-source)\n    - [Daily](#daily)\n  - [With nix-shell](#with-nix-shell)\n  - [Bootstrap tools](#bootstrap-tools)\n  - [Docker](#docker)\n    - [For Tools](#for-tools)\n    - [For CLI](#for-cli)\n- [Plugins](#plugins)\n- [Community](#community)\n\n# Harp\n\nHarp is for Harpocrates (Ancient Greek: Ἁρποκράτης) the god of silence, secrets\nand confidentiality in the Hellenistic religion. - [Wikipedia](https://en.wikipedia.org/wiki/Harpocrates)\n\n## TL;DR.\n\nHarp is a tool set to operate secret management by contract. The objective is\nto reduce the value centric management by handling secret data in a\n`reproducible` way by providing a technical stack to describe how your value is\nmanaged by contracts and pipelines. Furthermore, we know that `naming thing is hard`,\nas a consequence a secret could be `consistently` associated to a `predictable`\nsecret identifier used as a key to refer to the secret value. Finally, the secret\ncan hold additional metadata (ownership, rotation period, leak severity, etc.)\nwhich can be consumed during the pipeline executions.\n\nThese key/value associations (path ⇒ value) form a `Bundle` stored in an\nimmutable file named a `Container`. This `Container` acts as a pivot format to\nallow Harp commands to communicate and create data management pipelines.\n\nIn addition to that, it provides a `template engine` used to generate various\nconfidence values (password, passphrase, crypto keys, etc.) and allow more\nsophisticated rendering operations (configuration files, etc.).\n\nFinally, it provides a `SDK` to allow developers to integrate `Harp` features\nin their products, and/or extend the Harp pipeline features by creating new\n[plugins](#plugins).\n\n## Visual overview\n\n![Visual overview](docs/harp/img/HARP_FLOW.png)\n\n## Why harp?\n\n* Secret management is in essence a collection of processes that must be\n  auditable, executable and reproducible for infosec and operation requirements;\n* Secret provisioning must be designed with secret rotation as a day one task,\n  due to the fact that secret data must be rotated periodically to keep its\n  secret property;\n* `Developers` should negotiate secret value for the secret consumer they are\n  currently developing, by the contract based on a path (reference to the secret)\n  and a value specification (for code contract) without the knowledge of the\n  final deployed value;\n* `Secret Operators` use different set of tools to achieve secret\n  management operation which increases the error/secret exposure probability due to\n  tool count involved in the process (incompatibility, changes, etc.);\n* Without a defined secret naming convention, the secret storage becomes difficult to\n  handle in time (naming is hard) and secret naming could not be helped to\n  get a consistent, reliable and flexible secret tree;\n* Secret storage backend can use various implementations in different environments\n  and should be provisioned consistently.\n\n## Use cases\n\n* You want to have a `single secret value` and you are asking yourself\n  `how to generate a strong password` - Harp has a template engine with secret\n  value generation functions to allow you to generate such values.\n* You have `thousands secrets` to handle to deploy your platform/customers\n  `on multiple cloud providers` with `different secret storages` - Harp will help you\n  to define consistent secret provisioning bundles and pipelines.\n* You need a `ephemeral secret storage` to `bootstrap` your long term cloud\n  secret storage - Harp will help you to create\n  secret containers that can be consumed on deployment.\n* You want to `migrate massively` your secrets from one secret storage to\n  another - Harp provides you a secret container to store these secrets while\n  they are going to be distributed in other secret storage implementations.\n* You have to `alter/modifiy` a secret (rotation/deprecation/renewal) - Harp\n  provides you a `GitOps-able` secret `storage agnostic operation set`, so that you\n  can define a specification to describe how your secret operation is going to\n  be applied offline on the secret container.\n\n## How does it work?\n\n![Secret management Pipeline](docs/harp/img/SM-HARP-PIPELINE.png)\n\n### Like a Data pipeline but for secret\n\n`harp` allows you to handle secrets using deterministic pipelines expressed\nusing an atomic series of CLI operations applied to a commonly shared container\nimmutable and standalone file system used to store secret collection (Bundle)\ngenerated from a template engine via user specification, or external secret\nvalue coming from files or external secret storage.\n\n![Pipelines](docs/harp/img/SM-HARP.png)\n\nThese pipelines use the immutable container file system as a data exchange\nprotocol and could be extended for new input, intermediary operation or output\nvia plugins created with the `harp` SDK.\n\n### Immutable transformation\n\nEach applied transformation creates a container with transformed data inside.\nThis will enforce container reproducibility by eliminating cumulative\nside effects applied to the same container.\n\nThe container handles for you the confidentiality and integrity protection applied\nto the secret collection stored inside and manipulated by copy during the\npipeline execution.\n\n## What can I do?\n\n\u003e New to harp, let's start with [onboarding tutorial](docs/onboarding/README.md) !\n\u003e TL;DR - [Features overview](FEATURES.md)\n\nHarp provides :\n\n* A methodology to design your secret management;\n  * Secret naming convention (CSO);\n  * A defined common language and complete processes to achieve secret management\n    operations;\n* A SDK to create your own tools to orchestrate your secret management pipelines;\n  * A container manipulation library exposed as `github.com/elastic/harp/pkg/container`;\n  * A secret bundle specification to store and manipulate secrets exposed as `github.com/elastic/harp/pkg/bundle`;\n  * An `on-steroid` template engine exposed as `github.com/elastic/harp/pkg/template`\n  * A path name validation library exposed as `github.com/elastic/harp/pkg/cso`\n* A CLI for secret management implementation\n  * CI/CD integration;\n  * Based on human-readable definitions (YAML);\n  * In order to create auditable and reproducible pipelines.\n  * An extensible tool which can be enhanced via [plugins](https://github.com/elastic/harp-plugins).\n\nAnd allows :\n\n* Bundle level operations\n  * Create a bundle from scratch / template / JSON (more via plugins);\n  * Generate a complete bundle using a YAML Descriptor (`BundleTemplate`) to describe secret and their usages;\n  * Read value stored in the K/V virtual file system;\n  * Update the K/V virtual file system;\n  * Reproducible patch applied on immutable container (copy-on-write);\n  * Import / Export to Vault.\n* Immutable container level operations\n  * Seal / Unseal a container for integrity and confidentiality property conservation\n    to enforce at-rest encryption (aes256-gcm96 or chacha20-poly1305);\n  * Multiple identities sealing algorithm;\n\n## FAQ\n\n* Is it used internally at Elastic? - Yes. It is used to generate bootstrap\n  secrets used to bootstrap the new region infrastructure components.\n  #ChickenEggProblem\n\n* Harp is only supporting `Vault`? - No, it has been published with only vault\n  support built-in, but it supports many other secret storage implementations via\n  plugins.\n\n* What's the difference with `Vault`? - HashiCorp Vault is an encrypted highly\n  available K/V store with advanced authorization engine, it doesn't handle\n  secret provisioning for you. You can't ask Vault to generate secrets for your\n  application and store them using a defined logic. Harp is filling this\n  requirement.\n\n## License\n\n`harp` artifacts and source code is released under [Apache 2.0 Software License](LICENSE).\n\n# Homebrew install\n\nDownload a [release](https://github.com/elastic/harp/releases) or build from source.\n\nFor stable version\n\n```sh\nbrew tap elastic/harp\nbrew install elastic/harp/harp\n```\n\n# Build instructions\n\nDownload a [release](https://github.com/elastic/harp/releases) or build from source.\n\n## Clone repository\n\n```sh\n$ git clone git@github.com:elastic/harp.git\n$ export HARP_REPOSITORY=$(pwd)/harp\n```\n\n## Manual dev environment\n\n### Check your go version\n\n\u003e Only last 2 minor versions of a major are supported.\n\n#### Go 1.17/1.16\n\n`Harp` is compiled with :\n\n```sh\n$ go version\ngo version go1.17.8 linux/amd64\n```\n\n\u003e Simple go version manager - \u003chttps://github.com/stefanmaric/g\u003e\n\n#### Go 1.18 (beta)\n\nGo 1.18 compilation is enabled for testing purpose and `golangci-lint` looks to\nhang, so it has been disabled for the moment.\n\n### Install mage\n\n[Mage](https://magefile.org/) is an alternative to Make where language used is Go.\nYou can install it using 2 different methods.\n\n#### From source\n\n```sh\n# Install mage\ngit clone https://github.com/magefile/mage\ncd mage\ngo run bootstrap.go\n```\n\n### Daily\n\n```sh\nexport PATH=$HARP_REPOSITORY/tools/bin:$PATH\n# Build harp in bin folder\nmage\n```\n\n## With nix-shell\n\nInstall `nix` on your system, if not already installed.\n\n```sh\n$ sudo install -d -m755 -o $(id -u) -g $(id -g) /nix\n$ curl -L https://nixos.org/nix/install | sh\n```\n\n\u003e More information? - \u003chttps://nixos.wiki/wiki/Nix_Installation_Guide\u003e\n\n```sh\n$ cd $HARP_REPOSITORY\n$ nix-shell\n```\n\n## Bootstrap tools\n\n```sh\n# Go to tools submodule\ncd $HARP_REPOSITORY/tools\n# Resolve dependencies\ngo mod tidy\ngo mod vendor\n# Pull tools sources, compile them and install executable in tools/bin\nmage\n```\n\n## Docker\n\n### For Tools\n\nYou have to build this image once before executing artifact pipelines.\n\n```sh\nmage docker:tools\n```\n\nOr you can download `harp-tools` from GitHub registry\n\n```sh\n# Standard usecase\n$ docker pull ghcr.io/elastic/harp/harp-tools:latest\n# FIPS compliant go toolchain\n$ docker pull ghcr.io/elastic/harp/harp-tools-fips:latest\n```\n\nCheck image integrity with `cosign` and the public key `build/artifact/cosign.pub`\n\n```sh\ncosign verify --key build/artifact/cosign.pub ghcr.io/elastic/harp/harp-tools:latest\n\nVerification for ghcr.io/elastic/harp/harp-tools:latest --\nThe following checks were performed on each of these signatures:\n  - The cosign claims were validated\n  - The signatures were verified against the specified public key\n  - Any certificates were verified against the Fulcio roots.\n\n[{\"critical\":{\"identity\":{\"docker-reference\":\"ghcr.io/elastic/harp/harp-tools\"},\"image\":{\"docker-manifest-digest\":\"sha256:1be31528e7b00c9e836479aadfdf49319f3b4d7916e705c43ffd0b14965763a8\"},\"type\":\"cosign container image signature\"},\"optional\":{\"ref\":\"40714fef947d018e6053991f5ddb54283f466b04\",\"repo\":\"elastic/harp\",\"workflow\":\"Build and push docker tools\"}}]\n```\n\n### For CLI\n\n```sh\n# or docker image [distroless:static, rootless, noshell]\nmage docker:harp\n# To execute in the container\ndocker run --rm -ti --read-only elastic/harp:\u003cversion\u003e\n```\n\n# Plugins\n\nYou can find more Harp feature extensions - \u003chttps://github.com/elastic/harp-plugins\u003e\n\n# Community\n\nHere is the list of external projects used as inspiration :\n\n* [Kubernetes](https://github.com/kubernetes/)\n* [Helm](https://github.com/helm/)\n* [Open Policy Agent ConfTest](https://github.com/open-policy-agent/conftest)\n* [SaltPack](https://github.com/keybase/saltpack)\n* [Hashicorp Vault](https://github.com/hashicorp/vault)\n* [AWS SDK Go](https://github.com/aws/aws-sdk-go)\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Felastic%2Fharp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Felastic%2Fharp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Felastic%2Fharp/lists"}