{"id":36900792,"url":"https://github.com/zntrio/harp","last_synced_at":"2026-01-12T15:46:51.678Z","repository":{"id":65655604,"uuid":"575351013","full_name":"zntrio/harp","owner":"zntrio","description":"Secret management by contract toolchain ","archived":false,"fork":false,"pushed_at":"2024-08-08T19:01:29.000Z","size":7341,"stargazers_count":5,"open_issues_count":21,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-06-25T15:07:07.296Z","etag":null,"topics":["aws-ssm-parameter-store","cli","consul","container","cryptography","elastic","golang","key-management","kubernetes","password-generator","secret-management","template-engine","vault","zookeeper"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/zntrio.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-12-07T10:12:14.000Z","updated_at":"2024-06-09T11:42:46.000Z","dependencies_parsed_at":"2023-10-01T19:31:21.615Z","dependency_job_id":"f13b3387-005b-454f-96e2-5239063aeb90","html_url":"https://github.com/zntrio/harp","commit_stats":null,"previous_names":[],"tags_count":91,"template":false,"template_full_name":null,"purl":"pkg:github/zntrio/harp","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zntrio%2Fharp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zntrio%2Fharp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zntrio%2Fharp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zntrio%2Fharp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/zntrio","download_url":"https://codeload.github.com/zntrio/harp/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zntrio%2Fharp/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28341834,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-12T12:22:26.515Z","status":"ssl_error","status_checked_at":"2026-01-12T12:22:10.856Z","response_time":98,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws-ssm-parameter-store","cli","consul","container","cryptography","elastic","golang","key-management","kubernetes","password-generator","secret-management","template-engine","vault","zookeeper"],"created_at":"2026-01-12T15:46:51.583Z","updated_at":"2026-01-12T15:46:51.670Z","avatar_url":"https://github.com/zntrio.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)\n[![Go Report Card](https://goreportcard.com/badge/github.com/zntrio/harp)](https://goreportcard.com/report/github.com/zntrio/harp)\n[![made-with-Go](https://img.shields.io/badge/Made%20with-Go-1f425f.svg)](http://golang.org)\n[![GitHub release](https://img.shields.io/github/release/zntrio/harp.svg)](https://github.com/zntrio/harp/releases/)\n[![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg)](https://zntr.io/harp/graphs/commit-activity)\n\n- [Harp](#harp)\n  - [TL;DR.](#tldr)\n  - [Visual overview](#visual-overview)\n  - [Why harp?](#why-harp)\n  - [Use cases](#use-cases)\n  - [How does it work?](#how-does-it-work)\n    - [Like a Data pipeline but for secret](#like-a-data-pipeline-but-for-secret)\n    - [Immutable transformation](#immutable-transformation)\n  - [What can I do?](#what-can-i-do)\n  - [FAQ](#faq)\n  - [License](#license)\n- [Build instructions](#build-instructions)\n  - [Clone repository](#clone-repository)\n  - [Setup dev environment](#setup-dev-environment)\n    - [With nix flake](#with-nix-flake)\n    - [Non-nix managed environment](#non-nix-managed-environment)\n      - [Check your go version](#check-your-go-version)\n      - [Install mage](#install-mage)\n        - [From source](#from-source)\n      - [Bootstrap tools](#bootstrap-tools)\n  - [Mage targets](#mage-targets)\n- [Plugins](#plugins)\n- [Community](#community)\n\n# Harp\n\nHarp is for Harpocrates (Ancient Greek: Ἁρποκράτης) the god of silence, secrets\nand confidentiality in the Hellenistic religion. - [Wikipedia](https://en.wikipedia.org/wiki/Harpocrates)\n\n\u003e This tool was initially developed while I was at Elastic, to be able to continue\n\u003e to maintain Harp without the upstream dependency, I decided to do a hard-fork\n\u003e of the Elastic repository.\n\u003e\n\u003e I'm going to introduce breaking changes from the Elastic original version.\n\n## TL;DR.\n\nHarp is an innovative toolset that emphasizes `secret management through contracts`. Its primary objective revolves around mitigating value-centric management by offering a structured approach to handling secret data in a reproducible manner. Harp aims to enhance security and efficiency in managing sensitive information by providing a technical stack that describes `contract-managed values` within `pipelines`.\n\nOne of Harp's standout features is its ability to establish consistent associations between secrets and `predictable identifiers`. This ensures referencable secrets can be accessed within the system, contributing to a more organized and controlled secret management environment. Including metadata associated with each secret provides comprehensive insights into the nature and context of the managed data, empowering developers with a clear understanding of their data.\n\nFurthermore, Harp leverages a concept known as `Bundles` stored in `immutable containers`, which serve as pivotal elements in facilitating communication between different components within the system. These Bundles enable seamless interaction among various modules, promoting cohesion and integrity in secret management operations.\n\nIn addition to its core functionalities, Harp offers a `template engine` that empowers users to generate diverse confidence values such as passwords, passphrases, encryption keys, and more. This feature enhances Harp's flexibility and versatility by enabling users to create tailored configurations based on specific requirements and security considerations.\n\nHarp provides a `robust SDK` that allows developers to integrate its functionalities into their applications seamlessly. This fosters seamless integration and interoperability with existing systems and promotes collaboration and innovation within the software development ecosystem. This aspect of Harp opens up exciting possibilities for developers, inspiring them to explore and create.\n\nIn conclusion, Harp represents a comprehensive solution for enhancing secret management practices through contract-based mechanisms. By offering a range of features such as predictable identifiers, metadata associations, bundle storage in immutable containers, template engine capabilities, and an SDK for integration, Harp stands out as a valuable toolset for safeguarding sensitive data and promoting efficient workflows in information security.\n\n## Visual overview\n\n![Visual overview](docs/harp/img/HARP_FLOW.png)\n\n## Why harp?\n\n* Secret management is in essence a collection of processes that must be\n  auditable, executable and reproducible for infosec and operation requirements;\n* Secret provisioning must be designed with secret rotation as a day one task,\n  due to the fact that secret data must be rotated periodically to keep its\n  secret property;\n* `Developers` should negotiate secret value for the secret consumer they are\n  currently developing, by the contract based on a path (reference to the secret)\n  and a value specification (for code contract) without the knowledge of the\n  final deployed value;\n* `Secret Operators` use different set of tools to achieve secret\n  management operation which increases the error/secret exposure probability due to\n  tool count involved in the process (incompatibility, changes, etc.);\n* Without a defined secret naming convention, the secret storage becomes difficult to\n  handle in time (naming is hard) and secret naming could not be helped to\n  get a consistent, reliable and flexible secret tree;\n* Secret storage backend can use various implementations in different environments\n  and should be provisioned consistently;\n* When you use `Terraform` for secret management, you have the cleartext value\n  stored in the state. To protect the state you have to deploy a complex infrastructure.\n  To simplify this we use harp for secret provisioning and use the secret reference\n  in the Terraform topology.\n\n## Use cases\n\n* You want to have a `single secret value` and you are asking yourself\n  `how to generate a strong password` - Harp has a template engine with secret\n  value generation functions to allow you to generate such values.\n* You have `thousands secrets` to handle to deploy your platform/customers\n  `on multiple cloud providers` with `different secret storages` - Harp will help you\n  to define consistent secret provisioning bundles and pipelines.\n* You need a `ephemeral secret storage` to `bootstrap` your long term cloud\n  secret storage - Harp will help you to create\n  secret containers that can be consumed on deployment.\n* You want to `migrate massively` your secrets from one secret storage to\n  another - Harp provides you a secret container to store these secrets while\n  they are going to be distributed in other secret storage implementations.\n* You have to `alter/modifiy` a secret (rotation/deprecation/renewal) - Harp\n  provides you a `GitOps-able` secret `storage agnostic operation set`, so that you\n  can define a specification to describe how your secret operation is going to\n  be applied offline on the secret container.\n\n## How does it work?\n\n![Secret management Pipeline](docs/harp/img/SM-HARP-PIPELINE.png)\n\n### Like a Data pipeline but for secret\n\n`harp` allows you to handle secrets using deterministic pipelines expressed\nusing an atomic series of CLI operations applied to a commonly shared container\nimmutable and standalone file system used to store secret collection (Bundle)\ngenerated from a template engine via user specification, or external secret\nvalue coming from files or external secret storage.\n\n![Pipelines](docs/harp/img/SM-HARP.png)\n\nThese pipelines use the immutable container file system as a data exchange\nprotocol and could be extended for new input, intermediary operation or output\nvia plugins created with the `harp` SDK.\n\n### Immutable transformation\n\nEach applied transformation creates a container with transformed data inside.\nThis will enforce container reproducibility by eliminating cumulative\nside effects applied to the same container.\n\nThe container handles for you the confidentiality and integrity protection applied\nto the secret collection stored inside and manipulated by copy during the\npipeline execution.\n\n## What can I do?\n\n\u003e New to harp, let's start with [onboarding tutorial](docs/onboarding/README.md) !\n\u003e TL;DR - [Features overview](FEATURES.md)\n\nHarp provides :\n\n* A methodology to design your secret management;\n  * Secret naming convention (CSO);\n  * A defined common language and complete processes to achieve secret management\n    operations;\n* A SDK to create your own tools to orchestrate your secret management pipelines;\n  * A container manipulation library exposed as `zntr.io/harp/v2/pkg/container`;\n  * A secret bundle specification to store and manipulate secrets exposed as `zntr.io/harp/v2/pkg/bundle`;\n  * An `on-steroid` template engine exposed as `zntr.io/harp/v2/pkg/template`\n  * A path name validation library exposed as `zntr.io/harp/v2/pkg/cso`\n* A CLI for secret management implementation\n  * CI/CD integration;\n  * Based on human-readable definitions (YAML);\n  * In order to create auditable and reproducible pipelines.\n  * An extensible tool which can be enhanced via [plugins](https://github.com/zntrio/harp-plugins).\n\nAnd allows :\n\n* Bundle level operations\n  * Create a bundle from scratch / template / JSON (more via plugins);\n  * Generate a complete bundle using a YAML Descriptor (`BundleTemplate`) to describe secret and their usages;\n  * Read value stored in the K/V virtual file system;\n  * Update the K/V virtual file system;\n  * Reproducible patch applied on immutable container (copy-on-write);\n  * Import / Export to Vault.\n* Immutable container level operations\n  * Seal / Unseal a container for integrity and confidentiality property conservation\n    to enforce at-rest encryption (aes256-gcm96 or chacha20-poly1305);\n  * Multiple identities sealing algorithm;\n\n## FAQ\n\n* Is it used internally at zntrio? - Yes. It is used to generate bootstrap\n  secrets used to bootstrap the new region infrastructure components.\n  #ChickenEggProblem\n\n* Harp is only supporting `Vault`? - No, it has been published with only vault\n  support built-in, but it supports many other secret storage implementations via\n  plugins.\n\n* What's the difference with `Vault`? - HashiCorp Vault is an encrypted highly\n  available K/V store with advanced authorization engine, it doesn't handle\n  secret provisioning for you. You can't ask Vault to generate secrets for your\n  application and store them using a defined logic. Harp is filling this\n  requirement.\n\n## License\n\n`harp` artifacts and source code is released under [Apache 2.0 Software License](LICENSE).\n\n# Build instructions\n\nDownload a [release](https://github.com/zntrio/harp/releases) or build from source.\n\n## Clone repository\n\n```sh\n$ git clone git@github.com:zntrio/harp.git\n$ export HARP_REPOSITORY=$(pwd)/harp\n```\n\n## Setup dev environment\n\n### With nix flake\n\nInstall `nix` on your system, if not already installed.\n\n```sh\n$ sudo install -d -m755 -o $(id -u) -g $(id -g) /nix\n$ curl -L https://nixos.org/nix/install | sh\n```\n\n\u003e More information? - \u003chttps://nixos.wiki/wiki/Nix_Installation_Guide\u003e\n\n```sh\n$ cd $HARP_REPOSITORY\n$ nix develop\n```\n\n### Non-nix managed environment\n\n#### Check your go version\n\n\u003e Only last 2 minor versions of a major are supported.\n\n`Harp` is compiled with :\n\n```sh\n$ go version\ngo version go1.21 linux/amd64\n```\n\n\u003e Simple go version manager - \u003chttps://github.com/stefanmaric/g\u003e\n\n#### Install mage\n\n[Mage](https://magefile.org/) is an alternative to Make where language used is Go.\nYou can install it using 2 different methods.\n\n##### From source\n\n```sh\n# Install mage\ngit clone https://github.com/magefile/mage\ncd mage\ngo run bootstrap.go\n```\n\n#### Bootstrap tools\n\n```sh\n# Go to tools submodule\ncd $HARP_REPOSITORY/tools\n# Resolve dependencies\ngo mod tidy\ngo mod vendor\n# Pull tools sources, compile them and install executable in tools/bin\nmage\n```\n\n## Mage targets\n\n```sh\n❯ mage -l\nTargets:\n  api:generate     protobuf objects from proto definitions.\n  build*           harp executable.\n  code:format      source code and process imports.\n  code:generate    SDK code (mocks, tests, etc.)\n  code:licenser    apply copyright banner to source code.\n  code:lint        code using golangci-lint.\n  compile          harp code to create an executable.\n  docker:harp      build harp docker image\n  docker:tools     prepares docker images with go toolchain and project tools.\n  homebrew         generates homebrew formula from compiled artifacts.\n  release          harp version and cross-compile code to produce all artifacts.\n  releaser:harp    releases harp artifacts using docker pipeline.\n  test:cli         Test harp application.\n  test:unit        Test harp application.\n\n* default target\n```\n\n# Plugins\n\nYou can find more Harp feature extensions - \u003chttps://github.com/zntrio/harp-plugins\u003e\n\n# Community\n\nHere is the list of external projects used as inspiration :\n\n* [Kubernetes](https://github.com/kubernetes/)\n* [Helm](https://github.com/helm/)\n* [Open Policy Agent ConfTest](https://github.com/open-policy-agent/conftest)\n* [SaltPack](https://github.com/keybase/saltpack)\n* [Hashicorp Vault](https://github.com/hashicorp/vault)\n* [AWS SDK Go](https://github.com/aws/aws-sdk-go)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzntrio%2Fharp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzntrio%2Fharp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzntrio%2Fharp/lists"}