| Name | secret-run JSON |
| Version |
0.1.0
JSON |
| download |
| home_page | None |
| Summary | Secure command execution with temporary secret injection |
| upload_time | 2025-07-12 15:34:54 |
| maintainer | None |
| docs_url | None |
| author | None |
| requires_python | >=3.10 |
| license | MIT |
| keywords |
cli
devops
environment
secrets
security
|
| VCS |
 |
| bugtrack_url |
|
| requirements |
No requirements were recorded.
|
| Travis-CI |
No Travis.
|
| coveralls test coverage |
No coveralls.
|
# 🚀 Secret Run
**Secure command execution with temporary secret injection**
Secret Run is a production-ready command-line tool that executes commands with temporary secret injection, ensuring secrets never touch the filesystem. This tool addresses the critical security need of running applications with sensitive environment variables without persistent storage risks.
## ✨ Features
- **🔒 Memory-Safe Secret Handling**: Secrets are kept in memory and explicitly cleaned up
- **🛡️ Process Isolation**: Commands run in isolated process trees
- **📁 Multiple Input Sources**: Load secrets from files, environment, stdin, and more
- **🔧 Secret Transformations**: Base64 decode, JSON parse, template substitution
- **✅ Validation**: Built-in secret validation and pattern checking
- **📊 Audit Logging**: Comprehensive audit trails for security compliance
- **🌐 Cross-Platform**: Works on Linux, macOS, and Windows
- **⚡ High Performance**: Minimal overhead with async execution
- **🎨 Beautiful UI**: Rich terminal interface with progress indicators
- **🔄 Secret Rotation**: Advanced secret lifecycle management with policies
- **☁️ Cloud Integrations**: Native support for AWS, GCP, Azure, and HashiCorp Vault
- **🤖 Auto-Rotation**: Automated secret rotation based on policies
- **📋 Policy Management**: Flexible rotation policies with pattern matching
- **🏥 Health Monitoring**: Secret expiry tracking and health checks
- **🔄 Multi-Cloud Sync**: Synchronize secrets across multiple cloud providers
- **🔑 Metadata Management**: Automatic secret metadata registration and validation
## 🚀 Quick Start
### Installation
```bash
# Install from PyPI
pip install secret-run
# Or install with all integrations
pip install secret-run[all]
# Or install from source
git clone https://github.com/yourusername/secret-run.git
cd secret-run
pip install -e .
```
### Basic Usage
```bash
# Run a command with secrets from environment variables
secret-run run "python app.py" --env API_KEY=sk_live_123 --env DATABASE_URL=postgresql://user:pass@localhost/db
# Load secrets from a .env file
secret-run run "docker-compose up" --file .env.production
# Load secrets from JSON
secret-run run "node server.js" --file config.json --format json
# Read secrets from stdin
echo '{"API_KEY": "secret123"}' | secret-run run "python script.py" --stdin
# Validate secrets before execution
secret-run run "python app.py" --file .env --validate --require-keys API_KEY,DATABASE_URL
```
## 🔑 Secret Metadata Management
**Important**: Before generating or rotating secrets, you must register secret metadata. This ensures proper lifecycle management and policy enforcement.
### Automatic Metadata Registration
The demo scripts automatically handle metadata registration. For manual usage:
```bash
# Metadata is stored in ~/.config/secret-run/secret-metadata.json
# Each secret requires: key, policy, hash, and metadata fields
```
### Demo Scripts
Two demo scripts are provided for different use cases:
#### Single-Key Demo (`demo_showcase.sh`)
```bash
# Configure variables at the top of the script
SECRET_KEY="my-secret"
SECRET_POLICY="my-policy"
SECRET_LENGTH=32
# Run the demo
./demo_showcase.sh
```
#### Multi-Key Demo (`multi_key_demo.sh`)
```bash
# Demonstrates multiple secrets with different policies
# Configurable in the SECRETS array: "key:policy:length"
./multi_key_demo.sh
```
## 📋 Command Reference
### Core Commands
```bash
# Execute commands with secrets
secret-run run COMMAND [ARGS...] [OPTIONS]
# Validate secrets and configurations
secret-run validate [OPTIONS]
# Manage configuration
secret-run config [COMMAND] [OPTIONS]
# Audit and monitoring
secret-run audit [COMMAND] [OPTIONS]
# Secret rotation and lifecycle management
secret-run rotate [COMMAND] [OPTIONS]
# Cloud integrations management
secret-run cloud [COMMAND] [OPTIONS]
# System information and health
secret-run doctor [OPTIONS]
secret-run info [OPTIONS]
secret-run version [OPTIONS]
```
### Advanced Commands
#### Secret Rotation
```bash
# Check rotation status
secret-run rotate status --days 30
# Generate new secret (requires metadata registration)
secret-run rotate generate --key API_KEY --method random --policy api_keys
# Rotate specific secret
secret-run rotate rotate --key DATABASE_PASSWORD --method random
# Auto-rotate expired secrets
secret-run rotate auto-rotate --dry-run
# Manage rotation policies
secret-run rotate policy --action list
secret-run rotate policy --action create --name custom --pattern "^CUSTOM_.*" --interval 60
```
#### Cloud Integrations
```bash
# List cloud integrations
secret-run cloud list
# Add AWS integration
secret-run cloud add-aws --name prod --region us-east-1 --profile default
# Add GCP integration
secret-run cloud add-gcp --name prod --project my-project
# Add Azure integration
secret-run cloud add-azure --name prod --vault-url https://my-vault.vault.azure.net/
# Add HashiCorp Vault integration
secret-run cloud add-vault --name prod --address https://vault.company.com
# Get secret from cloud
secret-run cloud get --secret my-secret --format json
# Put secret to cloud
secret-run cloud put --secret my-secret --value "secret-value"
# Test cloud connectivity
secret-run cloud test --integration prod
```
### Run Command Options
```bash
secret-run run COMMAND [ARGS...]
--env KEY=VALUE # Direct secret specification (repeatable)
--file PATH # Load from file (.env, .json, .yaml)
--stdin # Read secrets from stdin
--format FORMAT # Input format: env|json|yaml|ini
--mask-output # Mask secrets in command output
--timeout SECONDS # Command execution timeout (default: 300)
--working-dir PATH # Change working directory
--shell SHELL # Specify shell (bash, zsh, fish, cmd, powershell)
--dry-run # Show what would be executed without running
--quiet # Suppress output except errors
--verbose # Detailed execution logging
--validate # Validate secrets before execution
--require-keys KEYS # Comma-separated list of required keys
--max-memory MB # Memory limit for child process
--user USER # Run as different user (Unix only)
--group GROUP # Run with different group (Unix only)
--inherit-env / --no-inherit-env # Inherit parent environment (default: true)
--escape-quotes # Escape quotes in secret values
--base64-decode KEYS # Base64 decode specified keys
--json-parse KEYS # Parse JSON in specified keys
--template-vars # Enable template variable substitution
```
## 🔧 Configuration
### Global Configuration
Secret Run uses a YAML configuration file located at:
- **Linux/macOS**: `~/.config/secret-run/config.yaml`
- **Windows**: `%APPDATA%\secret-run\config.yaml`
```yaml
version: "1.0"
default_profile: "default"
security:
mask_output: true
audit_logging: true
memory_limit: 512 # MB
execution_timeout: 300 # seconds
require_confirmation: false
logging:
level: "INFO"
format: "structured" # structured|human
file: "~/.config/secret-run/logs/secret-run.log"
max_size: "10MB"
max_files: 5
sources:
default_format: "env"
cache_ttl: 300
parallel_loading: true
validation_enabled: true
execution:
default_shell: "auto" # auto|bash|zsh|fish|cmd|powershell
inherit_environment: true
working_directory: "."
signal_timeout: 10
ui:
color: true
progress_bars: true
confirmation_prompts: true
table_format: "grid"
```
### Secret Metadata Configuration
Secret metadata is stored in `~/.config/secret-run/secret-metadata.json`:
```json
{
"SECRET_KEY": {
"key": "SECRET_KEY",
"created_at": "2025-07-12T20:44:02.123456",
"last_rotated": "2025-07-12T20:44:02.123456",
"expires_at": null,
"rotation_count": 1,
"hash": "sha256_hash_of_secret_key",
"policy": "policy_name",
"tags": [],
"usage_count": 0,
"last_used": null
}
}
```
### Profile Configuration
Create environment-specific profiles:
```yaml
# ~/.config/secret-run/profiles/production.yaml
name: "production"
description: "Production environment secrets"
sources:
- name: "vault"
type: "hashicorp-vault"
config:
address: "https://vault.company.com"
auth_method: "aws"
path: "secret/production"
- name: "env-file"
type: "file"
config:
path: ".env.production"
format: "env"
watch: false
security:
require_confirmation: true
audit_all_operations: true
allowed_commands:
- "python"
- "node"
- "docker"
- "kubectl"
validation:
schema: "schemas/production.yaml"
required_keys:
- "DATABASE_URL"
- "API_KEY"
- "JWT_SECRET"
patterns:
API_KEY: "^sk_live_[a-zA-Z0-9]{32}$"
DATABASE_URL: "^postgresql://"
```
## 🔒 Security Features
### Memory Safety
- **Secure Memory Allocation**: Uses `mlock()` to prevent secrets from swapping to disk
- **Explicit Memory Zeroing**: Overwrites memory containing secrets before deallocation
- **Process Isolation**: Runs commands in isolated process trees
- **Signal Handling**: Graceful cleanup on SIGTERM/SIGINT
### Input Validation
- **Secret Pattern Recognition**: Detects and validates common secret formats
- **Input Sanitization**: Prevents command injection through secret values
- **Environment Variable Validation**: Ensures valid variable names and values
- **File Path Validation**: Secure handling of file paths and permissions
### Audit & Logging
- **Structured Audit Logs**: JSON-formatted audit trails with timestamps
- **Configurable Log Levels**: Debug, info, warning, error with filtering
- **Secret Masking**: Automatic masking of sensitive values in logs
- **Tamper Detection**: Log integrity verification
## 🚀 Advanced Features
### Secret Rotation Workflow
1. **Create Policy**: Define rotation rules and patterns
2. **Register Metadata**: Add secret metadata to enable rotation
3. **Generate/Rotate**: Create or update secrets with policies
4. **Monitor**: Track expiry and rotation status
### Multi-Cloud Secret Management
- **AWS Secrets Manager**: Native integration with IAM roles
- **Google Cloud Secret Manager**: Project-based secret management
- **Azure Key Vault**: Enterprise-grade secret storage
- **HashiCorp Vault**: Self-hosted secret management
### Health Monitoring
```bash
# Check secret health
secret-run rotate status --days 7
# Monitor expiring secrets
secret-run rotate status --format json
# Auto-rotate expired secrets
secret-run rotate auto-rotate --dry-run
```
## 🛠️ Troubleshooting
### Common Issues
#### "No metadata found for secret"
**Solution**: Register secret metadata before generation:
```bash
# Use the demo scripts which handle this automatically
./demo_showcase.sh
./multi_key_demo.sh
```
#### Pyperclip clipboard warning
**Solution**: Install clipboard support or ignore the warning:
```bash
# Ubuntu/Debian
sudo apt-get install xclip
# macOS
brew install reattach-to-user-namespace
# The warning doesn't affect secret generation
```
#### Policy creation fails
**Solution**: Check if policy already exists:
```bash
secret-run rotate policy --action list
```
### Debug Mode
Enable verbose logging for troubleshooting:
```bash
secret-run --verbose rotate generate --key my-secret --policy my-policy
```
## 📚 Examples
### Basic Secret Management
```bash
# Create a policy
secret-run rotate policy --action create --name api-keys --pattern "^.*_API_KEY$" --interval 90
# Generate a secret (with metadata registration)
./demo_showcase.sh
# Rotate the secret
secret-run rotate rotate --key demo-secret --method random --force
```
### Multi-Environment Setup
```bash
# Development
SECRET_KEY="dev-api-key" SECRET_POLICY="dev-policy" ./demo_showcase.sh
# Production
SECRET_KEY="prod-api-key" SECRET_POLICY="prod-policy" ./demo_showcase.sh
# Batch processing
./multi_key_demo.sh
```
### Cloud Integration
```bash
# Add cloud provider
secret-run cloud add-aws --name prod --region us-east-1
# Sync secrets
secret-run cloud put --secret my-secret --value "secret-value"
secret-run cloud get --secret my-secret
```
## 🤝 Contributing
We welcome contributions! Please see our [Contributing Guide](CONTRIBUTING.md) for details.
### Development Setup
```bash
git clone https://github.com/yourusername/secret-run.git
cd secret-run
pip install -e .[dev]
pytest
```
## 📄 License
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
## 🔗 Links
- [Documentation](https://secret-run.readthedocs.io/)
- [Issue Tracker](https://github.com/yourusername/secret-run/issues)
- [Changelog](CHANGELOG.md)
- [Contributing](CONTRIBUTING.md)
---
**Made with ❤️ for secure DevOps**
Raw data
{
"_id": null,
"home_page": null,
"name": "secret-run",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.10",
"maintainer_email": null,
"keywords": "cli, devops, environment, secrets, security",
"author": null,
"author_email": "sherin joseph roy <sherin.joseph2217@gmail.com>",
"download_url": "https://files.pythonhosted.org/packages/4b/03/c43f50506f307a15fc0151085483008e380bac1647de1566cc3203642972/secret_run-0.1.0.tar.gz",
"platform": null,
"description": "# \ud83d\ude80 Secret Run\n\n**Secure command execution with temporary secret injection**\n\nSecret Run is a production-ready command-line tool that executes commands with temporary secret injection, ensuring secrets never touch the filesystem. This tool addresses the critical security need of running applications with sensitive environment variables without persistent storage risks.\n\n## \u2728 Features\n\n- **\ud83d\udd12 Memory-Safe Secret Handling**: Secrets are kept in memory and explicitly cleaned up\n- **\ud83d\udee1\ufe0f Process Isolation**: Commands run in isolated process trees\n- **\ud83d\udcc1 Multiple Input Sources**: Load secrets from files, environment, stdin, and more\n- **\ud83d\udd27 Secret Transformations**: Base64 decode, JSON parse, template substitution\n- **\u2705 Validation**: Built-in secret validation and pattern checking\n- **\ud83d\udcca Audit Logging**: Comprehensive audit trails for security compliance\n- **\ud83c\udf10 Cross-Platform**: Works on Linux, macOS, and Windows\n- **\u26a1 High Performance**: Minimal overhead with async execution\n- **\ud83c\udfa8 Beautiful UI**: Rich terminal interface with progress indicators\n- **\ud83d\udd04 Secret Rotation**: Advanced secret lifecycle management with policies\n- **\u2601\ufe0f Cloud Integrations**: Native support for AWS, GCP, Azure, and HashiCorp Vault\n- **\ud83e\udd16 Auto-Rotation**: Automated secret rotation based on policies\n- **\ud83d\udccb Policy Management**: Flexible rotation policies with pattern matching\n- **\ud83c\udfe5 Health Monitoring**: Secret expiry tracking and health checks\n- **\ud83d\udd04 Multi-Cloud Sync**: Synchronize secrets across multiple cloud providers\n- **\ud83d\udd11 Metadata Management**: Automatic secret metadata registration and validation\n\n## \ud83d\ude80 Quick Start\n\n### Installation\n\n```bash\n# Install from PyPI\npip install secret-run\n\n# Or install with all integrations\npip install secret-run[all]\n\n# Or install from source\ngit clone https://github.com/yourusername/secret-run.git\ncd secret-run\npip install -e .\n```\n\n### Basic Usage\n\n```bash\n# Run a command with secrets from environment variables\nsecret-run run \"python app.py\" --env API_KEY=sk_live_123 --env DATABASE_URL=postgresql://user:pass@localhost/db\n\n# Load secrets from a .env file\nsecret-run run \"docker-compose up\" --file .env.production\n\n# Load secrets from JSON\nsecret-run run \"node server.js\" --file config.json --format json\n\n# Read secrets from stdin\necho '{\"API_KEY\": \"secret123\"}' | secret-run run \"python script.py\" --stdin\n\n# Validate secrets before execution\nsecret-run run \"python app.py\" --file .env --validate --require-keys API_KEY,DATABASE_URL\n```\n\n## \ud83d\udd11 Secret Metadata Management\n\n**Important**: Before generating or rotating secrets, you must register secret metadata. This ensures proper lifecycle management and policy enforcement.\n\n### Automatic Metadata Registration\n\nThe demo scripts automatically handle metadata registration. For manual usage:\n\n```bash\n# Metadata is stored in ~/.config/secret-run/secret-metadata.json\n# Each secret requires: key, policy, hash, and metadata fields\n```\n\n### Demo Scripts\n\nTwo demo scripts are provided for different use cases:\n\n#### Single-Key Demo (`demo_showcase.sh`)\n```bash\n# Configure variables at the top of the script\nSECRET_KEY=\"my-secret\"\nSECRET_POLICY=\"my-policy\"\nSECRET_LENGTH=32\n\n# Run the demo\n./demo_showcase.sh\n```\n\n#### Multi-Key Demo (`multi_key_demo.sh`)\n```bash\n# Demonstrates multiple secrets with different policies\n# Configurable in the SECRETS array: \"key:policy:length\"\n./multi_key_demo.sh\n```\n\n## \ud83d\udccb Command Reference\n\n### Core Commands\n\n```bash\n# Execute commands with secrets\nsecret-run run COMMAND [ARGS...] [OPTIONS]\n\n# Validate secrets and configurations\nsecret-run validate [OPTIONS]\n\n# Manage configuration\nsecret-run config [COMMAND] [OPTIONS]\n\n# Audit and monitoring\nsecret-run audit [COMMAND] [OPTIONS]\n\n# Secret rotation and lifecycle management\nsecret-run rotate [COMMAND] [OPTIONS]\n\n# Cloud integrations management\nsecret-run cloud [COMMAND] [OPTIONS]\n\n# System information and health\nsecret-run doctor [OPTIONS]\nsecret-run info [OPTIONS]\nsecret-run version [OPTIONS]\n```\n\n### Advanced Commands\n\n#### Secret Rotation\n```bash\n# Check rotation status\nsecret-run rotate status --days 30\n\n# Generate new secret (requires metadata registration)\nsecret-run rotate generate --key API_KEY --method random --policy api_keys\n\n# Rotate specific secret\nsecret-run rotate rotate --key DATABASE_PASSWORD --method random\n\n# Auto-rotate expired secrets\nsecret-run rotate auto-rotate --dry-run\n\n# Manage rotation policies\nsecret-run rotate policy --action list\nsecret-run rotate policy --action create --name custom --pattern \"^CUSTOM_.*\" --interval 60\n```\n\n#### Cloud Integrations\n```bash\n# List cloud integrations\nsecret-run cloud list\n\n# Add AWS integration\nsecret-run cloud add-aws --name prod --region us-east-1 --profile default\n\n# Add GCP integration\nsecret-run cloud add-gcp --name prod --project my-project\n\n# Add Azure integration\nsecret-run cloud add-azure --name prod --vault-url https://my-vault.vault.azure.net/\n\n# Add HashiCorp Vault integration\nsecret-run cloud add-vault --name prod --address https://vault.company.com\n\n# Get secret from cloud\nsecret-run cloud get --secret my-secret --format json\n\n# Put secret to cloud\nsecret-run cloud put --secret my-secret --value \"secret-value\"\n\n# Test cloud connectivity\nsecret-run cloud test --integration prod\n```\n\n### Run Command Options\n\n```bash\nsecret-run run COMMAND [ARGS...]\n --env KEY=VALUE # Direct secret specification (repeatable)\n --file PATH # Load from file (.env, .json, .yaml)\n --stdin # Read secrets from stdin\n --format FORMAT # Input format: env|json|yaml|ini\n --mask-output # Mask secrets in command output\n --timeout SECONDS # Command execution timeout (default: 300)\n --working-dir PATH # Change working directory\n --shell SHELL # Specify shell (bash, zsh, fish, cmd, powershell)\n --dry-run # Show what would be executed without running\n --quiet # Suppress output except errors\n --verbose # Detailed execution logging\n --validate # Validate secrets before execution\n --require-keys KEYS # Comma-separated list of required keys\n --max-memory MB # Memory limit for child process\n --user USER # Run as different user (Unix only)\n --group GROUP # Run with different group (Unix only)\n --inherit-env / --no-inherit-env # Inherit parent environment (default: true)\n --escape-quotes # Escape quotes in secret values\n --base64-decode KEYS # Base64 decode specified keys\n --json-parse KEYS # Parse JSON in specified keys\n --template-vars # Enable template variable substitution\n```\n\n## \ud83d\udd27 Configuration\n\n### Global Configuration\n\nSecret Run uses a YAML configuration file located at:\n- **Linux/macOS**: `~/.config/secret-run/config.yaml`\n- **Windows**: `%APPDATA%\\secret-run\\config.yaml`\n\n```yaml\nversion: \"1.0\"\ndefault_profile: \"default\"\nsecurity:\n mask_output: true\n audit_logging: true\n memory_limit: 512 # MB\n execution_timeout: 300 # seconds\n require_confirmation: false\n \nlogging:\n level: \"INFO\"\n format: \"structured\" # structured|human\n file: \"~/.config/secret-run/logs/secret-run.log\"\n max_size: \"10MB\"\n max_files: 5\n \nsources:\n default_format: \"env\"\n cache_ttl: 300\n parallel_loading: true\n validation_enabled: true\n \nexecution:\n default_shell: \"auto\" # auto|bash|zsh|fish|cmd|powershell\n inherit_environment: true\n working_directory: \".\"\n signal_timeout: 10\n \nui:\n color: true\n progress_bars: true\n confirmation_prompts: true\n table_format: \"grid\"\n```\n\n### Secret Metadata Configuration\n\nSecret metadata is stored in `~/.config/secret-run/secret-metadata.json`:\n\n```json\n{\n \"SECRET_KEY\": {\n \"key\": \"SECRET_KEY\",\n \"created_at\": \"2025-07-12T20:44:02.123456\",\n \"last_rotated\": \"2025-07-12T20:44:02.123456\",\n \"expires_at\": null,\n \"rotation_count\": 1,\n \"hash\": \"sha256_hash_of_secret_key\",\n \"policy\": \"policy_name\",\n \"tags\": [],\n \"usage_count\": 0,\n \"last_used\": null\n }\n}\n```\n\n### Profile Configuration\n\nCreate environment-specific profiles:\n\n```yaml\n# ~/.config/secret-run/profiles/production.yaml\nname: \"production\"\ndescription: \"Production environment secrets\"\nsources:\n - name: \"vault\"\n type: \"hashicorp-vault\"\n config:\n address: \"https://vault.company.com\"\n auth_method: \"aws\"\n path: \"secret/production\"\n \n - name: \"env-file\"\n type: \"file\"\n config:\n path: \".env.production\"\n format: \"env\"\n watch: false\n \nsecurity:\n require_confirmation: true\n audit_all_operations: true\n allowed_commands:\n - \"python\"\n - \"node\"\n - \"docker\"\n - \"kubectl\"\n \nvalidation:\n schema: \"schemas/production.yaml\"\n required_keys:\n - \"DATABASE_URL\"\n - \"API_KEY\"\n - \"JWT_SECRET\"\n patterns:\n API_KEY: \"^sk_live_[a-zA-Z0-9]{32}$\"\n DATABASE_URL: \"^postgresql://\"\n```\n\n## \ud83d\udd12 Security Features\n\n### Memory Safety\n- **Secure Memory Allocation**: Uses `mlock()` to prevent secrets from swapping to disk\n- **Explicit Memory Zeroing**: Overwrites memory containing secrets before deallocation\n- **Process Isolation**: Runs commands in isolated process trees\n- **Signal Handling**: Graceful cleanup on SIGTERM/SIGINT\n\n### Input Validation\n- **Secret Pattern Recognition**: Detects and validates common secret formats\n- **Input Sanitization**: Prevents command injection through secret values\n- **Environment Variable Validation**: Ensures valid variable names and values\n- **File Path Validation**: Secure handling of file paths and permissions\n\n### Audit & Logging\n- **Structured Audit Logs**: JSON-formatted audit trails with timestamps\n- **Configurable Log Levels**: Debug, info, warning, error with filtering\n- **Secret Masking**: Automatic masking of sensitive values in logs\n- **Tamper Detection**: Log integrity verification\n\n## \ud83d\ude80 Advanced Features\n\n### Secret Rotation Workflow\n\n1. **Create Policy**: Define rotation rules and patterns\n2. **Register Metadata**: Add secret metadata to enable rotation\n3. **Generate/Rotate**: Create or update secrets with policies\n4. **Monitor**: Track expiry and rotation status\n\n### Multi-Cloud Secret Management\n\n- **AWS Secrets Manager**: Native integration with IAM roles\n- **Google Cloud Secret Manager**: Project-based secret management\n- **Azure Key Vault**: Enterprise-grade secret storage\n- **HashiCorp Vault**: Self-hosted secret management\n\n### Health Monitoring\n\n```bash\n# Check secret health\nsecret-run rotate status --days 7\n\n# Monitor expiring secrets\nsecret-run rotate status --format json\n\n# Auto-rotate expired secrets\nsecret-run rotate auto-rotate --dry-run\n```\n\n## \ud83d\udee0\ufe0f Troubleshooting\n\n### Common Issues\n\n#### \"No metadata found for secret\"\n**Solution**: Register secret metadata before generation:\n```bash\n# Use the demo scripts which handle this automatically\n./demo_showcase.sh\n./multi_key_demo.sh\n```\n\n#### Pyperclip clipboard warning\n**Solution**: Install clipboard support or ignore the warning:\n```bash\n# Ubuntu/Debian\nsudo apt-get install xclip\n\n# macOS\nbrew install reattach-to-user-namespace\n\n# The warning doesn't affect secret generation\n```\n\n#### Policy creation fails\n**Solution**: Check if policy already exists:\n```bash\nsecret-run rotate policy --action list\n```\n\n### Debug Mode\n\nEnable verbose logging for troubleshooting:\n```bash\nsecret-run --verbose rotate generate --key my-secret --policy my-policy\n```\n\n## \ud83d\udcda Examples\n\n### Basic Secret Management\n```bash\n# Create a policy\nsecret-run rotate policy --action create --name api-keys --pattern \"^.*_API_KEY$\" --interval 90\n\n# Generate a secret (with metadata registration)\n./demo_showcase.sh\n\n# Rotate the secret\nsecret-run rotate rotate --key demo-secret --method random --force\n```\n\n### Multi-Environment Setup\n```bash\n# Development\nSECRET_KEY=\"dev-api-key\" SECRET_POLICY=\"dev-policy\" ./demo_showcase.sh\n\n# Production\nSECRET_KEY=\"prod-api-key\" SECRET_POLICY=\"prod-policy\" ./demo_showcase.sh\n\n# Batch processing\n./multi_key_demo.sh\n```\n\n### Cloud Integration\n```bash\n# Add cloud provider\nsecret-run cloud add-aws --name prod --region us-east-1\n\n# Sync secrets\nsecret-run cloud put --secret my-secret --value \"secret-value\"\nsecret-run cloud get --secret my-secret\n```\n\n## \ud83e\udd1d Contributing\n\nWe welcome contributions! Please see our [Contributing Guide](CONTRIBUTING.md) for details.\n\n### Development Setup\n\n```bash\ngit clone https://github.com/yourusername/secret-run.git\ncd secret-run\npip install -e .[dev]\npytest\n```\n\n## \ud83d\udcc4 License\n\nThis project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.\n\n## \ud83d\udd17 Links\n\n- [Documentation](https://secret-run.readthedocs.io/)\n- [Issue Tracker](https://github.com/yourusername/secret-run/issues)\n- [Changelog](CHANGELOG.md)\n- [Contributing](CONTRIBUTING.md)\n\n---\n\n**Made with \u2764\ufe0f for secure DevOps** ",
"bugtrack_url": null,
"license": "MIT",
"summary": "Secure command execution with temporary secret injection",
"version": "0.1.0",
"project_urls": {
"Changelog": "https://github.com/Sherin-SEF-AI/secret-run/blob/master/CHANGELOG.md",
"Documentation": "https://github.com/Sherin-SEF-AI/secret-run#readme",
"Homepage": "https://github.com/Sherin-SEF-AI/secret-run",
"Issues": "https://github.com/Sherin-SEF-AI/secret-run/issues",
"Repository": "https://github.com/Sherin-SEF-AI/secret-run.git"
},
"split_keywords": [
"cli",
" devops",
" environment",
" secrets",
" security"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "b094481704072627400f317ab19268eb13df0763309ea2ae9751a9525450b1ff",
"md5": "e42e2210815ad51c7edfca20a52632d2",
"sha256": "8e2681bded834840ea0b2782e29c4873c2aeb850b5b3d57bc20ec6567f4ed859"
},
"downloads": -1,
"filename": "secret_run-0.1.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "e42e2210815ad51c7edfca20a52632d2",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.10",
"size": 50348,
"upload_time": "2025-07-12T15:34:51",
"upload_time_iso_8601": "2025-07-12T15:34:51.870135Z",
"url": "https://files.pythonhosted.org/packages/b0/94/481704072627400f317ab19268eb13df0763309ea2ae9751a9525450b1ff/secret_run-0.1.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "4b03c43f50506f307a15fc0151085483008e380bac1647de1566cc3203642972",
"md5": "6ab47825075a173ee1ccf64bed09d1b0",
"sha256": "addb054bc93433d8eb276237021107992d5efcf7ffe965e205d97e36b17dcafd"
},
"downloads": -1,
"filename": "secret_run-0.1.0.tar.gz",
"has_sig": false,
"md5_digest": "6ab47825075a173ee1ccf64bed09d1b0",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.10",
"size": 54046,
"upload_time": "2025-07-12T15:34:54",
"upload_time_iso_8601": "2025-07-12T15:34:54.074486Z",
"url": "https://files.pythonhosted.org/packages/4b/03/c43f50506f307a15fc0151085483008e380bac1647de1566cc3203642972/secret_run-0.1.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-07-12 15:34:54",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "Sherin-SEF-AI",
"github_project": "secret-run",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "secret-run"
}
