secretspec 0.8.2

Declarative secrets, every environment, any provider
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200

[![Build Status](https://img.shields.io/github/check-runs/cachix/secretspec/main)](https://github.com/cachix/secretspec/actions)
[![Crates.io](https://img.shields.io/crates/v/secretspec)](https://crates.io/crates/secretspec)
[![docs.rs](https://docs.rs/secretspec/badge.svg)](https://docs.rs/secretspec)
[![Discord channel](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fdiscord.com%2Fapi%2Finvites%2FnaMgvexb6q%3Fwith_counts%3Dtrue&query=%24.approximate_member_count&logo=discord&logoColor=white&label=Discord%20users&color=green&style=flat)](https://discord.gg/naMgvexb6q)

# SecretSpec

Stop committing secrets to git and putting them to .env files.

Secrets end up in `.env` files that get accidentally committed, shared over Slack, or copy pasted between machines. Each developer has their own version, nobody knows which secrets are actually needed, and onboarding means asking around for values.

SecretSpec fixes this by separating secret **declaration** from secret **storage**. You commit a `secretspec.toml` that declares what secrets your application needs, while the actual values live in a secure provider like your system keyring, 1Password, or any other backend. No secrets in git, no `.env` files to leak.

[Documentation](https://secretspec.dev) | [Quick Start](https://secretspec.dev/quick-start) | [Announcement Blog Post](https://devenv.sh/blog/2025/07/21/announcing-secretspec-declarative-secrets-management)

## Features

- **[Declarative Configuration](https://secretspec.dev/reference/configuration/)**: Define your secrets in `secretspec.toml` with descriptions and requirements
- **[Multiple Provider Backends](https://secretspec.dev/concepts/providers/)**: [Keyring](https://secretspec.dev/providers/keyring), [.env](https://secretspec.dev/providers/dotenv), [OnePassword](https://secretspec.dev/providers/onepassword), [LastPass](https://secretspec.dev/providers/lastpass), [Pass](https://secretspec.dev/providers/pass), [environment variables](https://secretspec.dev/providers/env), [Google Cloud Secret Manager](https://secretspec.dev/providers/gcsm), [AWS Secrets Manager](https://secretspec.dev/providers/awssm), and [Vault/OpenBao](https://secretspec.dev/providers/vault)
- **[Type-Safe Rust SDK](https://secretspec.dev/sdk/rust/)**: Generate strongly-typed structs from your `secretspec.toml` for compile-time safety
- **[Profile Support](https://secretspec.dev/concepts/profiles/)**: Override secret requirements and defaults per profile (development, production, etc.)
- **Secret Generation**: Auto-generate passwords, tokens, UUIDs, and more when secrets are missing — declarative "generate if absent"
- **Configuration Inheritance**: Extend and override shared configurations using the `extends` feature
- **Discovery**: `secretspec init` to discover secrets from existing `.env` files

## Quick Start

```shell-session
# 1. Initialize secretspec.toml (discovers secrets from .env)
$ secretspec init
✓ Created secretspec.toml with 0 secrets

Next steps:
  1. secretspec config init    # Set up user configuration
  2. secretspec check          # Verify all secrets are set
  3. secretspec run -- your-command  # Run with secrets

# 2. Set up provider backend
$ secretspec config init
? Select your preferred provider backend:
> onepassword: OnePassword password manager
  dotenv: Traditional .env files
  env: Read-only environment variables
  gcsm: Google Cloud Secret Manager
  keyring: Uses system keychain (Recommended)
  lastpass: LastPass password manager
  pass: Unix password manager (GPG)
? Select your default profile:
> development
  default
  none
✓ Configuration saved to /home/user/.config/secretspec/config.toml

# 3. Check and configure secrets
$ secretspec check

# 4. Run your application with secrets
$ secretspec run -- npm start

# Or with a specific profile and provider
$ secretspec run --profile production --provider dotenv -- npm start
```

See the [Quick Start Guide](https://secretspec.dev/quick-start) for detailed instructions.

## Installation

```shell-session
$ curl -sSL https://install.secretspec.dev | sh
```

See the [installation guide](https://secretspec.dev/quick-start#installation) for more options including Nix and Devenv.

## Configuration

Each project has a `secretspec.toml` file that declares the required secrets:

```toml
[project]
name = "my-app"  # Inferred from current directory name when using `secretspec init`
revision = "1.0"
# Optional: extend other configuration files
extends = ["../shared/common", "../shared/auth"]

[profiles.default]
DATABASE_URL = { description = "PostgreSQL connection string", required = true }
REDIS_URL = { description = "Redis connection string", required = false, default = "redis://localhost:6379" }

# Profile-specific configurations
[profiles.development]
DATABASE_URL = { description = "PostgreSQL connection string", required = false, default = "sqlite://./dev.db" }
REDIS_URL = { description = "Redis connection string", required = false, default = "redis://localhost:6379" }

[profiles.production]
DATABASE_URL = { description = "PostgreSQL connection string", required = true }
REDIS_URL = { description = "Redis connection string", required = true }
```

See the [configuration reference](https://secretspec.dev/reference/configuration/) for all available options.

## Profiles

Profiles allow you to define different secret requirements for each environment (development, production, etc.):

```shell-session
$ secretspec run --profile development -- npm start
$ secretspec run --profile production -- npm start

# Set default profile
$ secretspec config init
```

Learn more about [profiles](https://secretspec.dev/concepts/profiles) and [profile selection](https://secretspec.dev/concepts/profiles#profile-selection).

## Providers

SecretSpec supports multiple storage backends for secrets:

- **[Keyring](https://secretspec.dev/providers/keyring)** - System credential store (recommended)
- **[.env files](https://secretspec.dev/providers/dotenv)** - Traditional dotenv files
- **[Environment variables](https://secretspec.dev/providers/env)** - Read-only for CI/CD
- **[Pass](https://secretspec.dev/providers/pass)** - Unix password manager with GPG encryption
- **[OnePassword](https://secretspec.dev/providers/onepassword)** - Team secret management
- **[LastPass](https://secretspec.dev/providers/lastpass)** - Cloud password manager
- **[Google Cloud Secret Manager](https://secretspec.dev/providers/gcsm)** - GCP secret management
- **[AWS Secrets Manager](https://secretspec.dev/providers/awssm)** - AWS secret management
- **[Vault / OpenBao](https://secretspec.dev/providers/vault)** - HashiCorp Vault and OpenBao KV engine

```bash
$ secretspec run --provider keyring -- npm start
$ secretspec run --provider dotenv -- npm start

# Configure default provider
$ secretspec config init
```

See [provider concepts](https://secretspec.dev/concepts/providers) and [provider reference](https://secretspec.dev/reference/providers) for details.

## Rust SDK

Generate strongly-typed Rust structs from your `secretspec.toml`:

```rust
secretspec_derive::declare_secrets!("secretspec.toml");

fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Load secrets with type safety
    let secrets = SecretSpec::load(Provider::Keyring)?;

    // Access secrets as struct fields
    println!("Database: {}", secrets.database_url);

    // Optional secrets are Option<String>
    if let Some(redis) = &secrets.redis_url {
        println!("Redis: {}", redis);
    }

    Ok(())
}
```

See the [Rust SDK documentation](https://secretspec.dev/sdk/rust) for advanced usage including profile-specific types.

## CLI Reference

Common commands:

```bash
# Initialize and configure
secretspec init                    # Create secretspec.toml
secretspec config init            # Set up user configuration

# Manage secrets
secretspec check                  # Verify all secrets are set
secretspec set KEY               # Set a secret interactively
secretspec get KEY               # Retrieve a secret
secretspec import PROVIDER       # Import secrets from another provider

# Run with secrets
secretspec run -- command        # Run command with secrets as env vars
```

See the [full CLI reference](https://secretspec.dev/reference/cli) for all commands and options.

## Contributing

We welcome contributions! Areas where you can help:

- **New provider backends** - See the [provider implementation guide](https://secretspec.dev/reference/adding-providers)
- **Language SDKs** - Help us support more languages beyond Rust
- **Package managers** - Get SecretSpec into your favorite package manager
- **Documentation** - Improve guides and examples

See our [GitHub repository](https://github.com/cachix/secretspec) to get started.

## License

This project is licensed under the Apache License 2.0.

<img referrerpolicy="no-referrer-when-downgrade" src="https://static.scarf.sh/a.png?x-pxid=ddbe4178-cff6-4549-9365-facbc08f3b6f" />