Skip to main content

A secrets orchestration, lifecycle, and bootstrap engine for code repositories

Project description

SecretZero™

Latest Release License: Apache 2.0 Ask DeepWiki Status: Stable Python 3.12+ Entra Agent ID Preview Tests Build

SecretZero is a secrets as code management tool that automates the creation, seeding, and lifecycle management of project secrets through self-documenting declarative manifests. The very first secrets you seed for a new project or environment (known in the industry as 'secret-zero') are often the most difficult to track, maintain, seed, audit, and rotate. SecretZero aims to be an answer to this madness.

The Problem

If you have ever asked any of these questions about a new or existing codebase then SecretZero is for you!

  • Where are all the secrets in my project?
  • How do I generate new secrets, api keys, or certificates to deploy a whole new environment or application deployment?
  • When were my critical project secrets last rotated?
  • If I needed to bootstrap this entire project from scratch would I be able to do so without manually handling any secrets?
  • How do I document my project's secrets surface area and requirements?

Features

Core Capabilities

  • Idempotent bootstrap of initial secrets for one or more environments
  • Lockfile tracking for secrets with rotation history and timestamps
  • Dual-purpose providers that can both request/rotate new secrets and store them across a variety of environments
  • Type safety and validation at every layer with strongly-typed Pydantic models
  • Variable interpolation and stacking for targeting multiple environments independently
  • Manual secret fallbacks via environment variables when automatic generation isn't possible
  • Self-documenting secrets-as-code showing when secrets were created, from where, and where they are now

Advanced Features

  • Secret Rotation Policies - Automated rotation based on configurable time periods (90d, 2w, etc.)
  • Policy Enforcement - Validate secrets against rotation, compliance, and access control policies
  • Compliance Support - Built-in SOC2 and ISO27001 compliance policies
  • Drift Detection - Detect when secrets have been modified outside of SecretZero's control
  • Rotation Tracking - Track rotation history, count, and last rotation timestamp in lockfile
  • One-time Secrets - Support for secrets that should only be generated once
  • Entra Agent ID Blueprint Orchestration - Declaratively manage Entra agent identity blueprints and credential posture via Microsoft Graph
  • MCP Server - Native Model Context Protocol server (secretzero mcp serve) with metadata-only tools for Cursor, Claude Desktop, and other agent hosts — see docs/mcp-setup.md
  • API - Run as an API server if you need to for some reason I cannot fathom

secretzero get safety controls:

  • SZ_SANDBOX=true blocks retrieval by default
  • SZ_ALLOW_GET_IN_SANDBOX=true explicitly overrides the block
  • --reveal is required to print plaintext values
  • SZ_AGENT_MODE=true (or SZ_AGENT=true) blocks --reveal and other commands that would dump secret-bearing config to stdout; use secretzero ingest preseed for .env lockfile hashing

How It Works

At its core SecretZero is a declarative manifest that defines your secret usage in a project and automates requesting + seeding across targets while tracking state in a lockfile.

For end-to-end workflow diagrams and graph screenshots, see:

Use Cases

  • GitOps-first infrastructure with git-friendly lockfiles for multi-environment secret provisioning.
  • Multi-cloud secret synchronization across AWS Secrets Manager, Azure Key Vault, and HashiCorp Vault from a single source of truth.
  • Database credential bootstrapping and rotation for PostgreSQL, MySQL, MongoDB, and similar systems.
  • Certificate management for TLS certificates, SSH keypairs, and signing certificates across environments.
  • CI/CD secret provisioning for GitHub Actions, GitLab CI, Jenkins, and related pipelines.
  • Kubernetes secret seeding, including External Secrets Operator manifest generation for target secrets.
  • Development environment setup so new team members can bootstrap local .env files without manual credential sharing.
  • Compliance and audit workflows with lockfile history for SOC2 and ISO-style evidence.
  • Secret-zero bootstrap for greenfield deployments and disaster recovery scenarios.
  • API key lifecycle management for third-party services like Stripe, SendGrid, and Twilio.
  • Microservices secret coordination for shared signing keys, encryption keys, and other distributed credentials.
  • Environment parity testing with ephemeral environments that use production-like secrets without exposing real credentials.

Components

These are the core components of this application.

Secrets

Secrets are usually just a text or dict type. In our case we use a schema of allowed values so that we can easily map out a secret type when requesting it from the provider (kinda need to know what you are asking for right?). This is really a contract used for expected data from a provider and then expressed in targets.

NOTE All secrets have a source and at least 1 or more targets.

Providers

Providers are similar to terraform providers and are often an authentication point granting API access to secret sources or targets.

Secret sources are provider bound. If authentication fails, the user is (optionally) prompted for secrets manually as a failover. This is often necessary if there is a manual request somewhere in your bootstrap process.

Installation

Basic Installation

uv tool install -U "secretzero[all]"

With Provider Support

# AWS support
uv tool install "secretzero[aws]"

# Azure support
uv tool install "secretzero[azure]"

# Entra Agent ID support
uv tool install "secretzero[entra_agent_id]"

# Vault support
uv tool install "secretzero[vault]"

# Kubernetes support
uv tool install "secretzero[kubernetes]"

# CI/CD support (GitHub, GitLab, Jenkins)
uv tool install "secretzero[cicd]"

# API server support
uv tool install "secretzero[api]"

# Everything (easiest)
uv tool install "secretzero[all]"

Installation (Development)

# Clone the repository
git clone https://github.com/zloeber/SecretZero.git
cd SecretZero

# Create virtual environment (include pip and other tools)
uv sync --all-extras
source .venv/bin/activate  # On Windows: .venv\Scripts\activate

# Install in development mode
uv uv tool install -e ".[dev]"

Quick Start

CLI Usage

# Start a one-time web interface
secretzero web

# Start a one-time web interface that targets the dev environment
secretzero web -e dev

# List supported secret types
secretzero secret-types

# Show detailed configuration for a specific type
secretzero secret-types --type password --verbose

# Create a new manifest from template
secretzero create --template-type basic

# Validate your manifest
secretzero validate

# Test provider connectivity
secretzero test

# Generate and sync secrets (dry-run)
secretzero sync --dry-run

API Server

# Install API dependencies
uv tool install secretzero[api]

# Set API key (optional, enables authentication)
export SECRETZERO_API_KEY=$(python -c "import secrets; print(secrets.token_urlsafe(32))")

# Start server
secretzero-api

# Server runs on http://localhost:8000
# Visit http://localhost:8000/docs for interactive API documentation

API Usage Examples

# Health check
curl http://localhost:8000/health

# List secrets (with authentication)
curl -H "X-API-Key: $SECRETZERO_API_KEY" http://localhost:8000/secrets

# Sync secrets
curl -X POST -H "X-API-Key: $SECRETZERO_API_KEY" \
  -H "Content-Type: application/json" \
  http://localhost:8000/sync \
  -d '{"dry_run": true, "force": false}'

# Check rotation status
curl -X POST -H "X-API-Key: $SECRETZERO_API_KEY" \
  -H "Content-Type: application/json" \
  http://localhost:8000/rotation/check \
  -d '{}'

For more API examples, see docs/api-getting-started.md.

Demo

See local Secretfile.*.yml files or other local examples. Here we run some of the commands against the local Secretfile.yml manifest:

Demo of secretzero cli

Pretty Graphs

Secret Graph Overview

Secret graph overview

This view shows the top-level relationship between generated/resolved secrets and their targets.

Sync State Across Targets

Sync state graph

Edges reflect target sync state so you can quickly identify what is already synced versus pending/drifted.

Destination-Centric View

Destination-centric graph

Documentation

Security

SecretZero is designed with security as a priority:

  • ✅ No plaintext secrets in lock files (only metadata hashes)
  • ✅ Schema-driven validation at every layer
  • ✅ Type-safe implementations with Pydantic
  • ✅ Idempotent operations to prevent accidental overwrites
  • ✅ Audit trail through lock file tracking

License

Apache

FAQs

Relationship to External Secrets Operator

SecretZero is designed to complement, not replace, the External Secrets Operator.

SecretZero manages secret creation, bootstrap, lifecycle, and auditability upstream, while External Secrets handles runtime projection into Kubernetes.

Relationship to <Vault|Infiscal|Others>

A secrets management solution like Infisical is a strong control plane for secret storage and policy. SecretZero compliments this and other secrets solutions by adding deterministic orchestration and cross-provider lifecycle modeling. SecretZero maps out the secrets from inception to usage and beyond regardless of the backend secrets platforms in place.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

secretzero-0.14.16.tar.gz (3.8 MB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

secretzero-0.14.16-py3-none-any.whl (393.5 kB view details)

Uploaded Python 3

File details

Details for the file secretzero-0.14.16.tar.gz.

File metadata

  • Download URL: secretzero-0.14.16.tar.gz
  • Upload date:
  • Size: 3.8 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for secretzero-0.14.16.tar.gz
Algorithm Hash digest
SHA256 487c284076e5daf15ac2e064871cd3f634df92f03f1c0eb2860931f4d7d976c8
MD5 8d16aead840169b0032891a36e402893
BLAKE2b-256 bdc152d28539330e9ab5aae02e655993007f1d0ba30c567468aa6de7d2ce9c28

See more details on using hashes here.

Provenance

The following attestation bundles were made for secretzero-0.14.16.tar.gz:

Publisher: release.yaml on zloeber/SecretZero

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file secretzero-0.14.16-py3-none-any.whl.

File metadata

  • Download URL: secretzero-0.14.16-py3-none-any.whl
  • Upload date:
  • Size: 393.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for secretzero-0.14.16-py3-none-any.whl
Algorithm Hash digest
SHA256 e9bffa4c453bf2358a590966963c33e5a50d46c54478016ff73b366fefe60764
MD5 0f91ae23b0a920363853533b844ae1e2
BLAKE2b-256 513275cb787a6f7f4efcaa868372c6fa54d17736f22333043d71a23a1ec0214e

See more details on using hashes here.

Provenance

The following attestation bundles were made for secretzero-0.14.16-py3-none-any.whl:

Publisher: release.yaml on zloeber/SecretZero

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page