{"id":15773709,"url":"https://github.com/noqcks/gitsecrets","last_synced_at":"2025-06-11T20:34:02.028Z","repository":{"id":74419233,"uuid":"258550708","full_name":"noqcks/GitSecrets","owner":"noqcks","description":"A simple way to encrypt secrets in git and decrypt them at runtime.","archived":false,"fork":false,"pushed_at":"2020-04-27T16:26:31.000Z","size":2,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-10-11T16:08:20.847Z","etag":null,"topics":["aws-kms","ejson-kms","git-secrets","kms","secret-management","secrets-management"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/noqcks.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-04-24T15:27:08.000Z","updated_at":"2020-04-27T19:23:54.000Z","dependencies_parsed_at":null,"dependency_job_id":"bf4a34bd-72d0-426d-aff2-a74e4a6f9666","html_url":"https://github.com/noqcks/GitSecrets","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/noqcks%2FGitSecrets","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/noqcks%2FGitSecrets/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/noqcks%2FGitSecrets/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/noqcks%2FGitSecrets/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/noqcks","download_url":"https://codeload.github.com/noqcks/GitSecrets/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246481005,"owners_count":20784458,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws-kms","ejson-kms","git-secrets","kms","secret-management","secrets-management"],"created_at":"2024-10-04T16:03:05.135Z","updated_at":"2025-03-31T14:16:57.081Z","avatar_url":"https://github.com/noqcks.png","language":"Shell","readme":"# GitSecrets\n\nThis repository describes an easy way to store your secrets encrypted in git. I believe that it is preferrable to store your secrets encrypted in git along with your application code for greater repeatability of builds. \n\n## Philosophy\n\nWe believe that secrets and config are code. This idea is based on foundations laid out by\n[GitOps](https://www.weave.works/blog/gitops-operations-by-pull-request) and [Infrastructure As Code](https://martinfowler.com/bliki/InfrastructureAsCode.html).\n\nThe most important thing about including cofig/secrets as code is that every single\ngit commit is repeatable. This allows you to rollback to a previous version of your application with ease. It reduces the cognitive load on developers, since we no longer have to think about outside configuration when deploying applications.\n\n## How it Works\n\n1. Secrets are added encrypted to the GitHub repo using ejson-kms (a tool to store encrypted secrets using AWS KMS)\n2. Secret decryption scripts are COPY'd into your Dockerfile. \n3. Your containers/nodes/ECS tasks are given the necessary permissions to decrypt secrets using AWS IAM Roles.\n3. A Docker ENTRYPOINT is added to run the secret decryption script on container boot. \n\n\n## Quick Start\n\n### 0. Install ejson-kms\n\nSee [installation](https://github.com/adrienkohlbecker/ejson-kms#installation)\n\n### 1. Add new secrets file\n\n```\nejson-kms init --kms-key-id=\"your-kms-key-id\"\n```\n\n### 2. Add encrypted secrets to Dockerfile\n\n```\nCOPY _infra/secrets/ /opt/_infra/secrets/\n```\n\nNOTE: the decrypt.sh file expects secrets to be at _infra/secrets or /opt/_infra/secrets in the Docker image.\n\n### 3. Add secret install and secret decrypt script to Dockerfile\n\n```\n# EJSON-KMS Install\nADD scripts/install.sh /tmp/install.sh\nRUN chmod +x /tmp/install.sh \u0026\u0026 /tmp/install.sh \u0026\u0026 rm /tmp/install.sh\n\n# Secret Decryption\nADD scripts/decrypt.sh /usr/local/bin/decrypt\nRUN chmod +x /usr/local/bin/decrypt\n```\n\n### 4. Add Docker entrypoint\n\n```\nENTRYPOINT  [\"./entrypoint.sh\"]\n```\n\nThe `entrypoint.sh` file should look like this. \n\n```\n#!/usr/bin/env bash\n\n# add secrets to current env\n. decrypt\n\n$CMD \"$@\"\n```\n\nAnd then use CMD directive in your Dockerfile to run your application.\n\n```\nCMD [\"gunicorn\", \"app\" ...]\n```\n\n### 5. Add IAM Role to your nodes/ECS tasks\n\nCreate an IAM role and attach it to your EC2 instance.\n\nThe IAM role should have a policy that includes the following\n\n```\n{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Action\": [\n        \"kms:Decrypt\"\n      ],\n      \"Effect\": \"Allow\",\n      \"Resource\": \"arn:aws:kms:us-east-1:AWSACCOUNTID:key/your-kms-key-id\"\n    }\n  ]\n}\n```\n\nThis will allow the EC2 instance to decrypt secrets created by this KMS ID.\n\n### 6. Success!\n\nYou should now have everything setup. You can store secrets encrypted in git and decrypt them at runtime in your application.\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnoqcks%2Fgitsecrets","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnoqcks%2Fgitsecrets","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnoqcks%2Fgitsecrets/lists"}