{"id":22403341,"url":"https://github.com/springload/ssm-parent","last_synced_at":"2026-05-05T02:01:11.441Z","repository":{"id":32249630,"uuid":"129815675","full_name":"springload/ssm-parent","owner":"springload","description":"Docker entrypoint that gets parameters from AWS SSM Parameter Store","archived":false,"fork":false,"pushed_at":"2026-05-05T00:22:23.000Z","size":104,"stargazers_count":55,"open_issues_count":0,"forks_count":11,"subscribers_count":15,"default_branch":"master","last_synced_at":"2026-05-05T01:30:43.489Z","etag":null,"topics":["aws","docker","dockerfile","hacktoberfest","ssm-agent"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/springload.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2018-04-16T22:55:38.000Z","updated_at":"2026-05-05T00:21:20.000Z","dependencies_parsed_at":"2022-08-07T17:15:42.221Z","dependency_job_id":"a3d43c6c-c850-44fa-84f5-f6634d97e420","html_url":"https://github.com/springload/ssm-parent","commit_stats":null,"previous_names":[],"tags_count":36,"template":false,"template_full_name":null,"purl":"pkg:github/springload/ssm-parent","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/springload%2Fssm-parent","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/springload%2Fssm-parent/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/springload%2Fssm-parent/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/springload%2Fssm-parent/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/springload","download_url":"https://codeload.github.com/springload/ssm-parent/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/springload%2Fssm-parent/sbom","scorecard":{"id":842519,"data":{"date":"2025-08-11","repo":{"name":"github.com/springload/ssm-parent","commit":"505a35a50e7c5313108dd2a886a21c4c631651a7"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4,"checks":[{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Maintained","score":0,"reason":"1 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":3,"reason":"Found 6/20 approved changesets -- score normalized to 3","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/release.yml:39","Warn: no topLevel permission defined: .github/workflows/build_test.yml:1","Warn: no topLevel permission defined: .github/workflows/release.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/release.yml:12"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v1.8.5 not signed: https://api.github.com/repos/springload/ssm-parent/releases/231286661","Warn: release artifact v1.8.4 not signed: https://api.github.com/repos/springload/ssm-parent/releases/215065413","Warn: release artifact 1.8.3 not signed: https://api.github.com/repos/springload/ssm-parent/releases/133117536","Warn: release artifact 1.8.2 not signed: https://api.github.com/repos/springload/ssm-parent/releases/125584415","Warn: release artifact 1.8.1 not signed: https://api.github.com/repos/springload/ssm-parent/releases/117521844","Warn: release artifact v1.8.5 does not have provenance: https://api.github.com/repos/springload/ssm-parent/releases/231286661","Warn: release artifact v1.8.4 does not have provenance: https://api.github.com/repos/springload/ssm-parent/releases/215065413","Warn: release artifact 1.8.3 does not have provenance: https://api.github.com/repos/springload/ssm-parent/releases/133117536","Warn: release artifact 1.8.2 does not have provenance: https://api.github.com/repos/springload/ssm-parent/releases/125584415","Warn: release artifact 1.8.1 does not have provenance: https://api.github.com/repos/springload/ssm-parent/releases/117521844"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Pinned-Dependencies","score":2,"reason":"dependency not pinned by hash detected -- score normalized to 2","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_test.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/springload/ssm-parent/build_test.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_test.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/springload/ssm-parent/build_test.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_test.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/springload/ssm-parent/build_test.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_test.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/springload/ssm-parent/build_test.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/springload/ssm-parent/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/springload/ssm-parent/release.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/springload/ssm-parent/release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/springload/ssm-parent/release.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/springload/ssm-parent/release.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/springload/ssm-parent/release.yml/master?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:1","Warn: containerImage not pinned by hash: Dockerfile:15","Info:   0 out of   6 GitHub-owned GitHubAction dependencies pinned","Info:   3 out of   7 third-party GitHubAction dependencies pinned","Info:   0 out of   2 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Vulnerabilities","score":8,"reason":"2 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2022-0635","Warn: Project is vulnerable to: GO-2022-0646"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 21 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-23T20:47:45.239Z","repository_id":32249630,"created_at":"2025-08-23T20:47:45.240Z","updated_at":"2025-08-23T20:47:45.240Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32632290,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-04T10:08:07.713Z","status":"online","status_checked_at":"2026-05-05T02:00:06.033Z","response_time":54,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","docker","dockerfile","hacktoberfest","ssm-agent"],"created_at":"2024-12-05T09:16:52.306Z","updated_at":"2026-05-05T02:01:11.399Z","avatar_url":"https://github.com/springload.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Go Report Card](https://goreportcard.com/badge/github.com/springload/ssm-parent)](https://goreportcard.com/report/github.com/springload/ssm-parent)\n\n## SSM Parent\n\nThis is wrapper entrypoint for Docker to do one thing: fetch parameters from SSM Parameter store and expose them as environment variables to the underlying process.\n\nPlease note, that it still requires a proper `init` process, for example the one embedded into Docker can be used with `docker run --init`.\n\n```\nSSM-Parent is a docker entrypoint.\n\nIt gets specified parameters (possibly secret) from AWS SSM Parameter Store,\nthen exports them to the underlying process. Or creates a .env file to be consumed by an application.\n\nIt reads parameters in the following order: path-\u003ename-\u003eplain-path-\u003eplain-name.\nSo that every rightmost parameter overrides the previous one.\n\nUsage:\n  ssm-parent [command]\n\nAvailable Commands:\n  dotenv      Writes dotenv file\n  help        Help about any command\n  print       Prints the specified parameters.\n  run         Runs the specified command\n\nFlags:\n  -c, --config string        Path to the config file (optional). Allows to set transformations\n  -d, --debug                Turn on debug logging\n  -e, --expand               Expand arguments and values using shell-style syntax\n  -h, --help                 help for ssm-parent\n  -n, --name strings         Name of the SSM parameter to retrieve. Expects JSON in the value. Can be specified multiple times.\n  -p, --path strings         Path to a SSM parameter. Expects JSON in the value. Can be specified multiple times.\n      --plain-name strings   Name of the SSM parameter to retrieve. Expects actual parameter in the value. Can be specified multiple times.\n      --plain-path strings   Path to a SSM parameter. Expects actual parameter in the value. Can be specified multiple times.\n  -r, --recursive            Walk through the provided SSM paths recursively.\n  -s, --strict               Strict mode. Fail if found less parameters than number of names.\n      --version              version for ssm-parent\n\nUse \"ssm-parent [command] --help\" for more information about a command.\n```\n\nThe SSM parameter names or paths can be specified with `-p` or `-n` flags. In this case all parameters must be in JSON format, i.e.:\n\n```\n    {\n        \"ENVIRONMENT\": \"production\"\n    }\n```\n\nIf several parameters are specified, all JSON entities will be read and merged into one, overriding existing keys, i.e.\n\nParameter one:\n\n```\n    {\n        \"USERNAME\": \"myuser\",\n        \"DATABASE\": \"production\"\n    }\n```\n\nParameter two:\n\n```\n    {\n        \"DATABASE\": \"test\"\n    }\n```\n\nThe result will be merged as this:\n\n```\n    {\n        \"USERNAME\": \"myuser\",\n        \"DATABASE\": \"test\"\n    }\n```\n\nOne can also specify `--plain-name` and `--plain-path` command line options to read _plain_ parameters that are not in JSON format.\n`ssm-parent` takes the value as is, and constructs a key name from the `basename parameter`,\ni.e. a SSM Parameter `/project/environment/myParameter` with value `supervalue` will be exported as `myParameter=supervalue`.\n\n### How to use\n\nDetermine the paths you want to read and try it out with `ssm-parent print` to see the resulting JSON output.\nThen use `ssm-parent run` or `ssm-parent dotenv`.\n\n### Variables transformations\n\nTo transform variables, a config file is needed due to the complex nature of it. `ssm-parent` supports all config formats supported by https://github.com/spf13/viper, i.e. `.toml`, `.yaml`, `.json`.\n\nAll configuration entities can be specified in there rather than as flags.\nThe supported transformations are:\n\n1. rename - renames env vars\n2. delete - deletes env vars\n3. template - templates env vars\n4. trim_name_prefix - removes a prefix from variable names\n\nRename, template, trim_name_prefix transformations expect a dictionary rule. The delete transformation expects an array.\nTemplate transformation uses [Go templates](https://golang.org/pkg/text/template/), and the environment variables map is passed as `.`.\n\nThere are the following extra functions available in templates: url_host, url_user, url_password, url_path, url_scheme and trim_prefix. The current list of the custom functions can be found here https://github.com/springload/ssm-parent/blob/master/ssm/transformations/template_funcs.go#L9\n\ntrim_name_prefix will match any variables starting with `starts_with` and will remove the `trim` string from the start of the corresponding variable names.\n\nThere is practically no limit on the number of transformations and they are applied in order from top to the bottom.\n\nBelow there is an example that recursively gets parameters from `/$PROJECT/common/` and `/$PROJECT/$ENVIRONMENT` and constructs variables out of\n`DATABASE_URL` to be consumed by an PHP application. It also renames `AWS_BUCKET` to `AWS_S3_BUCKET`, removes `DATABASE_URL` and trims a leading underscore from any variable name that may start with `_PHP`.\n\n```yaml\nrecursive: true\nexpand: true\ndebug: true\npaths: [\"/$PROJECT/common/\", \"/$PROJECT/$ENVIRONMENT\"]\n\ntransformations:\n    - action: template\n      rule:\n          SS_DATABASE_SERVER: \"{{ url_host .DATABASE_URL }}\"\n          SS_DATABASE_USERNAME: \"{{ url_user .DATABASE_URL }}\"\n          SS_DATABASE_PASSWORD: \"{{ url_password .DATABASE_URL }}\"\n          SS_DATABASE_NAME: '{{ with $x := url_path .DATABASE_URL }}{{ trim_prefix $x \"/\" }}{{end}}'\n    - action: rename\n      rule:\n          AWS_BUCKET: AWS_S3_BUCKET\n    - action: delete\n      rule:\n          - DATABASE_URL\n    - action: trim_name_prefix\n      rule:\n          trim: \"_\"\n          starts_with: \"_PHP\"\n```\n\n### Example Dockerfile part\n\n```\nENV PROJECT myproject\nENV ENVIRONMENT production\n\nRUN wget -O /tmp/ssm-parent.tar.gz https://github.com/springload/ssm-parent/releases/download/v1.4.1/ssm-parent_1.4.1_linux_amd64.tar.gz \u0026\u0026 \\\n    tar xvf /tmp/ssm-parent.tar.gz \u0026\u0026 mv ssm-parent /usr/bin/ssm-parent \u0026\u0026 rm /tmp/ssm-parent.tar.gz\n\nENTRYPOINT [\"/usr/bin/ssm-parent\", \"run\", \"-e\", \"-p\", \"/$PROJECT/$ENVIRONMENT/backend/\", \"-r\",  \"--\"]\nCMD [\"caddy\" , \"--conf\", \"/etc/Caddyfile\", \"--log\", \"stdout\"]\n```\n\n### Use as a Docker stage\n\n```\n# get the ssm-parent as a Docker stage\nFROM springload/ssm-parent:1.4.1 as ssm-parent\n\n# your main stage\nFROM alpine\nENV PROJECT myproject\nENV ENVIRONMENT production\n\nCOPY --from=ssm-parent /usr/bin/ssm-parent /usr/bin/ssm-parent\n\nENTRYPOINT [\"/usr/bin/ssm-parent\", \"run\", \"-e\", \"-p\", \"/$PROJECT/$ENVIRONMENT/backend/\", \"-r\",  \"--\"]\nCMD [\"caddy\" , \"--conf\", \"/etc/Caddyfile\", \"--log\", \"stdout\"]\n```\n\n### Config generation\n\nIf your application can't be configured via environment variables, then the following script, utilising `envsubst`, can be used to generate configs.\n\n```\n#!/bin/sh\n\necho \"Bootstrapping Caddy\"\nenvsubst \u003c /etc/Caddyfile.env \u003e /etc/Caddyfile\n\nexec $@\n```\n\n### .env file generation\n\nSometimes you just want a .env file, and it is also possible.\n\nJust specify all the same parameters, but use `dotenv` command instead with a filename to generate `.env` file.\n\n```\n./ssm-parent dotenv -r -p /project/environment dotenv.env\n2018/10/01 16:37:59  info Wrote the .env file       filename=dotenv.env\n```\n\n### How to build\n\nThis project uses `go mod` as a dependency manager. Go v.1.13 was used.\n\n```\n    $git clone https://github.com/springload/ssm-parent.git\n    $go build\n    # (after some hacking)\n    $git tag vXXX \u0026\u0026 git push \u0026\u0026 git push --tags\n    $goreleaser # to create a new release\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspringload%2Fssm-parent","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fspringload%2Fssm-parent","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspringload%2Fssm-parent/lists"}