{"id":13645730,"url":"https://github.com/sethvargo/vault-secrets-gen","last_synced_at":"2026-01-14T19:22:07.712Z","repository":{"id":26934636,"uuid":"110276392","full_name":"sethvargo/vault-secrets-gen","owner":"sethvargo","description":"A Vault secrets plugin for generating high entropy passwords and passphrases.","archived":true,"fork":false,"pushed_at":"2023-09-01T14:46:55.000Z","size":4822,"stargazers_count":339,"open_issues_count":4,"forks_count":54,"subscribers_count":12,"default_branch":"main","last_synced_at":"2025-04-21T17:42:09.947Z","etag":null,"topics":["diceware","password","password-generator","secrets","vault","vault-plugin"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sethvargo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-11-10T17:52:33.000Z","updated_at":"2025-04-12T19:45:16.000Z","dependencies_parsed_at":"2024-01-14T09:57:26.111Z","dependency_job_id":"aff3ac50-ec89-4c63-ad6f-43d03609c9bb","html_url":"https://github.com/sethvargo/vault-secrets-gen","commit_stats":null,"previous_names":[],"tags_count":14,"template":false,"template_full_name":null,"purl":"pkg:github/sethvargo/vault-secrets-gen","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sethvargo%2Fvault-secrets-gen","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sethvargo%2Fvault-secrets-gen/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sethvargo%2Fvault-secrets-gen/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sethvargo%2Fvault-secrets-gen/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sethvargo","download_url":"https://codeload.github.com/sethvargo/vault-secrets-gen/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sethvargo%2Fvault-secrets-gen/sbom","scorecard":{"id":813338,"data":{"date":"2025-08-11","repo":{"name":"github.com/sethvargo/vault-secrets-gen","commit":"d39e69c5c3ec953cd3c9a62542b768606c8a6c69"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3,"checks":[{"name":"Code-Review","score":0,"reason":"Found 2/29 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"project is archived","details":["Warn: Repository is archived."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/release.yml:1","Warn: no topLevel permission defined: .github/workflows/test.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/sethvargo/vault-secrets-gen/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/sethvargo/vault-secrets-gen/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/sethvargo/vault-secrets-gen/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/sethvargo/vault-secrets-gen/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/sethvargo/vault-secrets-gen/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/sethvargo/vault-secrets-gen/test.yml/main?enable=pin","Info:   0 out of   4 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   2 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":8,"reason":"5 out of the last 5 releases have a total of 5 signed artifacts.","details":["Info: signed release artifact: vault-secrets-gen_0.1.7_SHA256SUMS.sig: https://github.com/sethvargo/vault-secrets-gen/releases/tag/v0.1.7","Info: signed release artifact: vault-secrets-gen_0.1.6_SHA256SUMS.sig: https://github.com/sethvargo/vault-secrets-gen/releases/tag/v0.1.6","Info: signed release artifact: vault-secrets-gen_0.1.5_SHA256SUMS.sig: https://github.com/sethvargo/vault-secrets-gen/releases/tag/v0.1.5","Info: signed release artifact: vault-secrets-gen_0.1.4_SHA256SUMS.sig: https://github.com/sethvargo/vault-secrets-gen/releases/tag/v0.1.4","Info: signed release artifact: vault-secrets-gen_0.1.3_SHA256SUMS.sig: https://github.com/sethvargo/vault-secrets-gen/releases/tag/v0.1.3","Warn: release artifact v0.1.7 does not have provenance: https://api.github.com/repos/sethvargo/vault-secrets-gen/releases/74206540","Warn: release artifact v0.1.6 does not have provenance: https://api.github.com/repos/sethvargo/vault-secrets-gen/releases/56156698","Warn: release artifact v0.1.5 does not have provenance: https://api.github.com/repos/sethvargo/vault-secrets-gen/releases/56007125","Warn: release artifact v0.1.4 does not have provenance: https://api.github.com/repos/sethvargo/vault-secrets-gen/releases/55685368","Warn: release artifact v0.1.3 does not have provenance: https://api.github.com/repos/sethvargo/vault-secrets-gen/releases/50168411"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 7 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"13 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2024-2947 / GHSA-v6v8-xj6m-xwqh","Warn: Project is vulnerable to: GO-2023-2402 / GHSA-45x7-px36-x8w8","Warn: Project is vulnerable to: GO-2024-3321 / GHSA-v778-237x-gjrc","Warn: Project is vulnerable to: GO-2025-3487 / GHSA-hcg3-q754-cr77","Warn: Project is vulnerable to: GO-2023-1988 / GHSA-2wrh-6pvc-2jm9","Warn: Project is vulnerable to: GO-2023-2102 / GHSA-4374-p667-p6c8","Warn: Project is vulnerable to: GO-2023-2153 / GHSA-m425-mq94-257g / GHSA-qppj-fm5r-hxr3","Warn: Project is vulnerable to: GO-2024-2687 / GHSA-4v7x-pqxf-cx7m","Warn: Project is vulnerable to: GO-2024-3333","Warn: Project is vulnerable to: GO-2025-3503 / GHSA-qxp5-gwg8-xv66","Warn: Project is vulnerable to: GO-2025-3595 / GHSA-vvgc-356p-c3xw","Warn: Project is vulnerable to: GO-2024-2611 / GHSA-8r3f-844c-mc37","Warn: Project is vulnerable to: GO-2024-2631 / GHSA-c5q2-7r4c-mv6g"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-23T13:39:11.132Z","repository_id":26934636,"created_at":"2025-08-23T13:39:11.132Z","updated_at":"2025-08-23T13:39:11.132Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28432585,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T18:57:19.464Z","status":"ssl_error","status_checked_at":"2026-01-14T18:52:48.501Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["diceware","password","password-generator","secrets","vault","vault-plugin"],"created_at":"2024-08-02T01:02:40.714Z","updated_at":"2026-01-14T19:22:07.694Z","avatar_url":"https://github.com/sethvargo.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"# Password Generator for HashiCorp Vault\n\nThe Vault Password Generator is a [Vault](https://www.vaultproject.io) secrets\nplugin for generating cryptographically secure passwords and passphrases.\n\nThis is both a real custom Vault secrets plugin, and an example of how to build,\ninstall, and maintain your own Vault secrets plugin.\n\n## Setup\n\nThe setup guide assumes some familiarity with Vault and Vault's plugin\necosystem. You must have a Vault server already running, unsealed, and\nauthenticated.\n\n1. Download and decompress the latest plugin binary from the Releases tab on\nGitHub. Alternatively you can compile the plugin from source, if you're into\nthat kinda thing.\n\n1. Move the compiled plugin into Vault's configured `plugin_directory`. You must\n   set this value in the [server configuration][vault-config]:\n\n    ```sh\n    $ mv vault-secrets-gen /etc/vault/plugins/vault-secrets-gen\n    ```\n\n1. Enable mlock so the plugin can safely be enabled and disabled:\n\n   ```sh\n   setcap cap_ipc_lock=+ep /etc/vault/plugins/vault-secrets-gen\n   ```\n\n1. Calculate the SHA256 of the plugin and register it in Vault's plugin catalog.\nIf you are downloading the pre-compiled binary, it is highly recommended that\nyou use the published checksums to verify integrity.\n\n    ```sh\n    $ export SHA256=$(shasum -a 256 \"/etc/vault/plugins/vault-secrets-gen\" | cut -d' ' -f1)\n\n    $ vault plugin register \\\n        -sha256=\"${SHA256}\" \\\n        -command=\"vault-secrets-gen\" \\\n        secret secrets-gen\n    ```\n\n1. Mount the secrets engine:\n\n    ```sh\n    $ vault secrets enable \\\n        -path=\"gen\" \\\n        -plugin-name=\"secrets-gen\" \\\n        plugin\n    ```\n\n### Upgrade plugin\n\nIn order to upgrade, you can repeat the decompress, move and register steps with the new version:\n\n    ```sh\n    $ export SHA256=$(shasum -a 256 \"/etc/vault/plugins/vault-secrets-gen_vX.X.X\" | cut -d' ' -f1)\n    $ mv vault-secrets-gen_vX.X.X \u003cvault-plugin-directory\u003e/\n    $ vault plugin register \\\n        -sha256=\"${SHA256}\" \\\n        -command=\"vault-secrets-gen_vX.X.X\" \\\n        -version=\"vX.X.X\" \\\n        secret secrets-gen\n    $ vault secrets tune -plugin-version=v1.0.8 secrets-gen\n    $ vault plugin reload -plugin secrets-gen\n    ```\n\nWhere `vX.X.X` deontes the target version, you wish to upgrade to.\nNote that the `-version` option is only supported in vault server versions staring from `1.12.0`,\nomit it for earlier versions.\n\nSee:\n - https://developer.hashicorp.com/vault/docs/upgrading/plugins\n - https://developer.hashicorp.com/vault/docs/v1.11.x/upgrading/plugins (for vault server versions \u003c1.12.0)\n\n## Usage \u0026 API\n\n### Policy requirements\n\nThe token used should have the following policy permissions to be able to generate passwords.\n\n```hcl\npath \"gen/password\" {\n  capabilities = [\"create\", \"update\"]\n}\n```\n\n### Generate Password\n\nGenerates a random, high-entropy password with the specified number of\ncharacters, digits, symbols, and configurables.\n\n| Method   | Path                         | Produces                 |\n| :------- | :--------------------------- | :----------------------- |\n| `POST`   | `/gen/password`              | `200 (application/json)` |\n\n#### Parameters\n\n- `length` `(int: 64)` - Specifies the total length of the password including\n  all letters, digits, and symbols.\n\n- `digits` `(int: 10)` - Specifies the number of digits to include in the\n  password.\n\n- `symbols` `(int: 10)` - Specifies the number of symbols to include in the\n  password.\n\n- `allow_uppercase` `(bool: true)` - Specifies whether to allow uppercase and\n  lowercase letters in the password.\n\n- `allow_repeat` `(bool: true)` - Specifies to allow duplicate characters in the\n  password. If set to false, be conscious of password length as values cannot be\n  re-used.\n\n#### CLI\n\n```\n$ vault write gen/password length=36 symbols=0\nKey  \tValue\n---  \t-----\nvalue\t27f3L5zKCZS8DD6D2PEK1xm0ECNaImg1PJqg\n```\n\n### Generate Passphrase\n\nGenerates a random, high-entropy passphrase with the specified number of words\nand separator using the diceware algorithm.\n\n| Method   | Path                         | Produces                 |\n| :------- | :--------------------------- | :----------------------- |\n| `POST`   | `/gen/passphrase`            | `200 (application/json)` |\n\n#### Parameters\n\n- `words` `(int: 6)` - Specifies the total number of words to generate.\n\n- `separator` `(string: \"-\")` - Specifies the string value to use as a separator\n  between words.\n\n#### CLI\n\n```\n$ vault write gen/passphrase words=4\nKey  \tValue\n---  \t-----\nvalue\tobstacle-sacrament-sizable-variably\n```\n\n## License\n\nThis code is licensed under the MIT license.\n\n[vault-config]: https://www.vaultproject.io/docs/configuration#plugin_directory\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsethvargo%2Fvault-secrets-gen","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsethvargo%2Fvault-secrets-gen","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsethvargo%2Fvault-secrets-gen/lists"}