upvote

points

by devenjarvis284 days ago |
comments
upvoteby firesteelrain284 days ago|
[-]
Interesting approach. Why this over GitLab secrets that are integrated with a vault of choice?

I assume this is to cover the non-CI/CD scenario.

reply
upvoteby devenjarvis284 days ago|
parent|
[-]
Thanks for checking it out! The pain point for me has largely been during local development, especially in a team setting when secrets change or people onboard or roll off and those manually managed .env files get unwieldy.

Gitlab Secrets looks cool, but that hits at another reason I think RunSecret is valuable even for CI - we don’t use GitLab at my day job so it’s not an option for me! I think GitLab and 1password have interesting proprietary solutions that definitely have inspired RunSecret, but I’d love to see an open source, universal solution here - which I’m hoping RunSecret can be!

reply
upvoteby firesteelrain284 days ago|
parent|
[-]
The disadvantage to GitLab is to get the feature mentioned is you need to pay for the premium version. We host it ourselves and looking to buy the Enterprise version to get us the vault integrations (specifically AKV)
reply
upvoteby devenjarvis284 days ago|
parent|
[-]
Ahh, yup! The RunSecret CLI is completely free and open source.

Azure KeyVault support is in progress and should land soon. I will notate it in the release changelog once it’s ready, but I’m also happy to reply here or let you know another way if you are interested!

reply
upvoteby firesteelrain284 days ago|
parent|
[-]
Will monitor your progress

Also be interesting to see what trufflehog finds (should be false positive)

https://github.com/trufflesecurity/trufflehog

Where are you storing the creds to get the secret from the vault?

This is the secret zero problem and other platforms solve it in other ways such as HSM

reply
upvoteby devenjarvis284 days ago|
parent|
[-]
Yea that is a hard problem to solve. Right now RunSecret depends on the host system (your laptop, CI runner, or application container) having access to the secret vault(s) of choice that you reference. This can be through ENV VARS, OIDC, or IAM roles (in some cases) but currently there is no HSM support.
reply
upvoteby firesteelrain284 days ago|
parent|
[-]
No worries, interesting way to solve this problem!
reply