Secrets

Secrets Management

General

Tool	Description
yopass	Secure sharing for secrets, passwords and files
sops	Secrets management
chamber	CLI for managing secrets
daytona	Lighter, alternative, implementation of the Vault client CLI primarily for services and containers Its core features are the ability to automate authentication, fetching of secrets, and automated token renewal
harp	Secret management toolchain from the Elastic team
aws-vault	A vault for securely storing and accessing AWS credentials in development environments
Google Secrets Manager	Store API keys, passwords, certificates, and other sensitive data CLI library
knox	Service for storing and rotation of secrets, keys, and passwords used by other services
op-vscode	A set of tools to integrate your development workflow with 1Password, powered by the 1Password CLI

Kubernetes Specific

Tool	Description
vault-k8s	Agent Sidecar Injector Vault-K8S integration that enables apps to leverage static and dynamic secrets sourced from Vault How-To: Dynamic Database Credentials with Vault and Kubernetes
kubernetes-external-secrets	Allows to use external secret management systems (e.g., AWS Secrets Manager, GCP Secrets Manager, Vault, etc.) to add secrets in Kubernetes
kube-secrets-init	Admission webhook that mutates any Pod that is using specially prefixed environment variables, directly or from Kubernetes as Secret or ConfigMap
kamus	Git-ops, zero-trust secret encryption and decryption solution for Kubernetes applications
sealed-secrets	A Kubernetes controller and tool for one-way encrypted Secrets
kiss	AWS-based secrets management for Kubernetes Leverages users' Kubernetes OIDC authentication tokens for AWS Secrets Manager secrets management
Secret Store CSI Driver	Google Secret Manager provider for the Secret Store CSI Driver
aws-secret-sidecar-injector	Kubernetes mutating webhook to fetch secrets from AWS Secrets Manager.

Hooks

Tool	Description
detect-secrets	Implement pre-commit hooks for secret detection
git-secrets	Prevents you from committing secrets and credentials into git repositories
talisman	Prevents you from committing authorization tokens and private keys

Scanners

Tool	Description
KeyHacks	Verify if disclosed API keys are still valid
Gitrob	Reconnaissance tool for GitHub organizations Usage: $ export GITROB_ACCESS_TOKEN=<TOKEN> $ gitrob <TARGET>
Gitleaks	Searches full repo history for secrets and keys
ggshield	Detect secrets in source code, scan git repos, and use pre commit hooks to prevent API key leaks
TruffleHog	Searches through git repositories for high entropy strings and secrets
Whispers	Static code analysis tool which identifies hardcoded secrets and dangerous behaviours
gitlab-watchman	Uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally

Other

Tool	Description
How to Rotate Leaked API Keys	A collection of API key rotation tutorials for AWS, GCP, GitHub, and more