{"id":45689698,"url":"https://github.com/zcloud-ws/secure-templates","last_synced_at":"2026-03-04T04:04:46.919Z","repository":{"id":225576386,"uuid":"755373262","full_name":"zcloud-ws/secure-templates","owner":"zcloud-ws","description":"Secure Templates is a tool to render templates using go-templates and load data values from secrets engine.","archived":false,"fork":false,"pushed_at":"2026-02-24T13:59:46.000Z","size":276,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-02-24T18:50:37.072Z","etag":null,"topics":["secret","secrets","security","security-tools","template","templates"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/zcloud-ws.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":["zcloud-ws"]}},"created_at":"2024-02-10T02:09:39.000Z","updated_at":"2026-02-24T13:59:51.000Z","dependencies_parsed_at":"2024-03-26T03:31:31.709Z","dependency_job_id":"0f113d0b-d358-4f94-a6cc-d71fbe5812aa","html_url":"https://github.com/zcloud-ws/secure-templates","commit_stats":null,"previous_names":["edimarlnx/secure-templates","zcloud-ws/secure-templates"],"tags_count":22,"template":false,"template_full_name":null,"purl":"pkg:github/zcloud-ws/secure-templates","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zcloud-ws%2Fsecure-templates","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zcloud-ws%2Fsecure-templates/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zcloud-ws%2Fsecure-templates/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zcloud-ws%2Fsecure-templates/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/zcloud-ws","download_url":"https://codeload.github.com/zcloud-ws/secure-templates/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zcloud-ws%2Fsecure-templates/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30071671,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-04T03:25:38.285Z","status":"ssl_error","status_checked_at":"2026-03-04T03:25:05.086Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["secret","secrets","security","security-tools","template","templates"],"created_at":"2026-02-24T16:00:47.942Z","updated_at":"2026-03-04T04:04:46.902Z","avatar_url":"https://github.com/zcloud-ws.png","language":"Go","funding_links":["https://github.com/sponsors/zcloud-ws"],"categories":[],"sub_categories":[],"readme":"# Secure Templates\n\n[![Coverage](https://img.shields.io/badge/Coverage-64%25-orange)](coverage/cover.html)\n\nA CLI tool that renders [Go templates](https://pkg.go.dev/text/template) with secret values loaded from pluggable secret engines. Keep your templates in version control and inject secrets at render time.\n\n**Binary:** `secure-templates` (alias: `stpl`)\n\n## Features\n\n- Render any text file using Go template syntax with secret injection\n- Pluggable secret engines: HashiCorp Vault, OCI Vault, local encrypted file, or no-op\n- Built-in [sprig](https://masterminds.github.io/sprig/) template functions (100+ utility functions)\n- Custom template delimiters to avoid conflicts with Helm, Jinja, etc.\n- Environment variable support in templates and config values\n- Secret introspection with `--print-keys`\n\n## Installation\n\n### Linux and macOS\n\nInstall the latest version (auto-detects OS and architecture):\n\n```shell\ncurl -sL https://raw.githubusercontent.com/zcloud-ws/secure-templates/main/scripts/install.sh | bash\n```\n\nThe installer will place the binary in `/usr/local/bin` if writable, or `~/.local/bin` as fallback. It also creates an `stpl` alias. Use `sudo` if you need to install to a system directory:\n\n```shell\ncurl -sL https://raw.githubusercontent.com/zcloud-ws/secure-templates/main/scripts/install.sh | sudo bash\n```\n\n**Customize with environment variables:**\n\n| Variable | Description |\n|----------|-------------|\n| `STPL_VERSION` | Install a specific version (e.g., `0.1.0` or `v0.1.0`) |\n| `STPL_INSTALL_DIR` | Custom installation directory |\n| `STPL_ALIAS_NAME` | Custom alias name (default: `stpl`, set empty to skip) |\n\n```shell\n# Install a specific version to a custom directory\nSTPL_VERSION=0.1.0 STPL_INSTALL_DIR=/opt/bin curl -sL https://raw.githubusercontent.com/zcloud-ws/secure-templates/main/scripts/install.sh | bash\n```\n\n### Manual / Windows\n\nDownload the binary for your platform from the [releases page](https://github.com/zcloud-ws/secure-templates/releases).\n\n## Quick Start\n\n```shell\n# 1. Generate a config with local-file secret engine\nsecure-templates init-config -o config.json\n\n# 2. Store a secret\nsecure-templates -c config.json manage-secret put myapp db_password \"s3cr3t\"\n\n# 3. Create a template\necho 'DB_PASSWORD={{ secret \"myapp\" \"db_password\" }}' \u003e app.env.tpl\n\n# 4. Render\nsecure-templates -c config.json app.env.tpl\n# Output: DB_PASSWORD=s3cr3t\n```\n\n## Template Functions\n\n### `secret`\n\nRetrieves a value from the configured secret engine.\n\n```\n{{ secret \"secret_name\" \"key_name\" }}\n```\n\nWhen called with only the secret name, returns a key-value map that can be iterated:\n\n```\n{{ range $key, $value := secret \"secret_name\" -}}\n{{ $key }}={{ $value }}\n{{ end }}\n```\n\n### `env`\n\nReads an environment variable:\n\n```\n{{ env \"MY_VAR\" }}\n```\n\n### Sprig functions\n\nAll [sprig](https://masterminds.github.io/sprig/) functions are available. Common examples:\n\n```\n{{ secret \"app\" \"password\" | b64enc }}      # base64 encode\n{{ env \"HOST\" | upper }}                     # uppercase\n{{ secret \"app\" \"name\" | default \"myapp\" }}  # default value\n```\n\n## Commands\n\n### `init-config`\n\nGenerate a sample config file with the `local-file` secret engine:\n\n```shell\nsecure-templates init-config -o config.json\n```\n\n| Flag | Env var | Description |\n|------|---------|-------------|\n| `--output`, `-o` | `SEC_TPL_OUTPUT` | Output file path (stdout if omitted) |\n| `--secret-file` | | Path for the secret data file |\n| `--private-key-passphrase` | `LOCAL_SECRET_PRIVATE_KEY_PASSPHRASE` | Passphrase for RSA key encryption |\n\n### `manage-secret`\n\nManage secrets in the configured engine.\n\n**Add or update a single key:**\n\n```shell\nsecure-templates -c config.json manage-secret put \u003cSECRET\u003e \u003cKEY\u003e \u003cVALUE\u003e\n```\n\n**Import keys from an .env file:**\n\n```shell\nsecure-templates -c config.json manage-secret import \u003cSECRET\u003e \u003cENV_FILE\u003e\n```\n\n### Render (default action)\n\nRender a template file using values from the configured secret engine:\n\n```shell\nsecure-templates -c config.json [flags] \u003cTEMPLATE_FILE\u003e\n```\n\n| Flag | Env var | Description |\n|------|---------|-------------|\n| `--config`, `-c` | `SEC_TPL_CONFIG` | Path to config file |\n| `--output`, `-o` | `SEC_TPL_OUTPUT` | Output file (stdout if omitted) |\n| `--print-keys`, `-p` | | List secret key references used in the template |\n| `--left-delim`, `--ld` | `SEC_TPL_LEFT_DELIM` | Custom left template delimiter |\n| `--right-delim`, `--rd` | `SEC_TPL_RIGHT_DELIM` | Custom right template delimiter |\n\n## Custom Template Delimiters\n\nWhen rendering templates that target systems using Go template syntax (e.g., Helm charts), the default `{{ }}` delimiters conflict. Use custom delimiters so that `secure-templates` only processes its own expressions while standard `{{ }}` passes through untouched.\n\n**Example** - a Helm values file using `\u003c\u003c \u003e\u003e` delimiters:\n\nTemplate (`values.yaml.tpl`):\n```yaml\napp_user: {{ .Values.appUser }}\napp_password: \u003c\u003c secret \"core\" \"app_passwd\" \u003e\u003e\n```\n\nRender:\n```shell\nsecure-templates --left-delim \"\u003c\u003c\" --right-delim \"\u003e\u003e\" values.yaml.tpl\n```\n\nOutput:\n```yaml\napp_user: {{ .Values.appUser }}\napp_password: s3cr3t_v4lu3\n```\n\nCustom delimiters can also be set in the config file:\n\n```json\n{\n  \"options\": {\n    \"leftDelim\": \"\u003c\u003c\",\n    \"rightDelim\": \"\u003e\u003e\"\n  }\n}\n```\n\nCLI flags take precedence over config file values.\n\n## Supported Secret Engines\n\n### HashiCorp Vault\n\nUses the [Vault KVv2](https://www.vaultproject.io/) secret engine.\n\n| Env var | Description |\n|---------|-------------|\n| `VAULT_ADDR` | Vault server address |\n| `VAULT_TOKEN` | Authentication token |\n| `VAULT_SECRET_ENGINE` | Secret engine name |\n| `VAULT_NS` | Vault namespace |\n\nFor local development, a Docker Compose setup is available in [`dev/vault/`](dev/vault/README.md).\n\n### OCI Vault\n\nUses [Oracle Cloud Infrastructure Vault](https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Concepts/keyoverview.htm) as the secret engine. Each OCI secret stores a single value (native key-value model).\n\nIn templates, the first parameter is the **vault name** and the second is the **secret name**:\n\n```\n{{ secret \"my-vault\" \"db_password\" }}\n```\n\nThis allows accessing secrets from multiple vaults in a single template. The vault is resolved by display name within the configured compartment.\n\nFor single-arg calls (`{{ secret \"db_password\" }}`), the default vault OCID from config/env is used.\n\n| Env var | Description |\n|---------|-------------|\n| `OCI_CONFIG_FILE` | Path to OCI config file (default: `~/.oci/config`) |\n| `OCI_CONFIG_PROFILE` | OCI config profile (default: `DEFAULT`) |\n| `OCI_VAULT_OCID` | Default OCI Vault OCID (optional, used for single-arg secret calls) |\n| `OCI_COMPARTMENT_OCID` | OCI Compartment OCID (required for vault name resolution and write operations) |\n| `OCI_KEY_OCID` | OCI Master Encryption Key OCID (required for write operations) |\n\n### Local File\n\nStores secrets in a local JSON file encrypted with RSA (OAEP + SHA256).\n\n| Env var | Description |\n|---------|-------------|\n| `LOCAL_SECRET_PRIVATE_KEY` | Base64-encoded RSA private key |\n| `LOCAL_SECRET_PRIVATE_KEY_PASSPHRASE` | Passphrase for the RSA key |\n\n## Config File\n\n```json\n{\n  \"secret_engine\": \"local-file\",\n  \"vault_config\": {\n    \"address\": \"http://localhost:8200\",\n    \"token\": \"token\",\n    \"secret_engine\": \"kv\",\n    \"ns\": \"dev\"\n  },\n  \"local_file_config\": {\n    \"filename\": \"secrets.json\",\n    \"enc_priv_key\": \"LS0tLS....\"\n  },\n  \"oci_vault_config\": {\n    \"vault_ocid\": \"$OCI_VAULT_OCID\",\n    \"compartment_ocid\": \"$OCI_COMPARTMENT_OCID\",\n    \"key_ocid\": \"$OCI_KEY_OCID\"\n  },\n  \"options\": {\n    \"secretShowNameAsValueIfEmpty\": false,\n    \"secretIgnoreNotFoundKey\": false,\n    \"envShowNameAsValueIfEmpty\": false,\n    \"envAllowAccessToSecureTemplateEnvs\": false,\n    \"envRestrictedNameRegex\": \"SC_.+\",\n    \"leftDelim\": \"\",\n    \"rightDelim\": \"\"\n  }\n}\n```\n\nConfig values support environment variable expansion: any value containing `$` is expanded (e.g., `\"$VAULT_TOKEN\"`).\n\n### Options Reference\n\n| Option | Default | Description |\n|--------|---------|-------------|\n| `secretShowNameAsValueIfEmpty` | `false` | Show the key name as value when the secret value is empty |\n| `secretIgnoreNotFoundKey` | `false` | Ignore missing keys instead of failing |\n| `envShowNameAsValueIfEmpty` | `false` | Show the variable name as value when the env var is empty |\n| `envAllowAccessToSecureTemplateEnvs` | `false` | Allow `env` function to access `secure-templates` internal env vars |\n| `envRestrictedNameRegex` | `\"\"` | Regex pattern for restricted env var names (e.g., `SC_.+`) |\n| `leftDelim` | `\"\"` | Custom left template delimiter (empty = `{{`) |\n| `rightDelim` | `\"\"` | Custom right template delimiter (empty = `}}`) |\n\n## Examples\n\n### .env file\n\nTemplate ([source](./test/samples/.env)):\n```\nexport APP_USER={{ secret \"core\" \"app_user\" }}\nexport APP_PASSWORD={{ secret \"core\" \"app_passwd\" }}\n```\n\nOutput:\n```\nexport APP_USER=dev_user\nexport APP_PASSWORD=2dabe3d7c66fb75f751202fdab19266b\n```\n\n### Kubernetes Secret\n\nTemplate ([source](./test/samples/k8s-secret.yaml)):\n```yaml\napiVersion: v1\nkind: Secret\nmetadata:\n  name: {{ env \"SECRET_NAME\" }}\n  namespace: {{ env \"SECRET_NAMESPACE\" }}\ndata:\n  APP_USER: {{ secret \"core\" \"app_user\" | b64enc }}\n  APP_PASSWORD: {{ secret \"core\" \"app_passwd\" | b64enc }}\nstringData:\n  CLIENT_APP_USER: \"{{ secret \"client\" \"app_user\" }}\"\n  CLIENT_APP_PASSWORD: \"{{ secret \"client\" \"app_passwd\" }}\"\n```\n\n### Iterating over secret keys\n\nTemplate ([source](./test/samples/secrets-list.env)):\n```\n{{ range $key, $value := secret \"test\" -}}\n{{ $key }}:{{ $value }}\n{{ end }}\n```\n\n## Building from Source\n\n```bash\n# Build\ngo build -o secure-templates .\n\n# Run tests\ncd test \u0026\u0026 go test ./...\n\n# Coverage report\n./coverage-update.sh\n```\n\nRequires Go 1.21+.\n\n## Author\n\nEdimar Cardoso\n\n- [edimarlnx@gmail.com](mailto:edimarlnx@gmail.com)\n- [edimar@quave.one](mailto:edimar@quave.one)\n- [oss@quave.one](mailto:oss@quave.one)\n- Website: [www.quave.one](https://www.quave.one)\n\n## License\n\n[MIT](./LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzcloud-ws%2Fsecure-templates","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzcloud-ws%2Fsecure-templates","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzcloud-ws%2Fsecure-templates/lists"}