[](https://pepy.tech/project/whispr)
[](https://coveralls.io/github/narenaryan/whispr)
# Whispr
Whispr (Pronounced as whisper) is a CLI tool to safely inject secrets from your favorite secret vault (Ex: AWS Secrets Manager, Azure Key Vault etc.) into your app's environment. This is very useful for enabling secure local software development.
Whispr uses keys (with empty values) specified in a `.env` file and fetches respective secrets from a vault, and sets them as environment variables before launching an application.
Key Features of Whispr:
* **Safe Secret Injection**: Fetch and inject secrets from your desired vault using HTTPS, SSL encryption, strict CERT validation.
* **Just In Time (JIT) Privilege**: Set environment variables for developers only when they're needed.
* **Secure Development**: Eliminate plain-text secret storage and ensure a secure development process.
* **Customizable Configurations**: Configure project-level settings to manage multiple secrets for multiple projects.
* **No Custom Scripts Required**: Whispr eliminates the need for custom bash scripts or cloud CLI tools to manage secrets, making it easy to get started.
* **Easy Installation**: Cross-platform installation with PyPi.
Supported Vault Technologies:
# Why use Whispr ?
The MITRE ATT&CK Framework Tactic 8 (Credential Access) suggests that adversaries can exploit plain-text secrets and sensitive information stored in files like `.env`. It is essential to avoid storing
sensitive information in unencrypted files. To help developers, Whispr can safely fetch and inject secrets from a vault into the current shell environment. This enables developers to securely manage
credentials and mitigate advisory exploitation tactics.
# Installation and Setup
## Installing Whispr
To get started with Whispr, simply run:
```bash
pip install whispr
```
## Configuring Your Project
**Step 1: Initialize Whispr**
Run `whispr init <vault_type>` in your terminal to create a `whispr.yaml` file in your project root. This file will store your configuration settings.
The available vault types are: `aws`, `azure`, and `gcp`.
**Example whispr.yaml contents (For: AWS):**
```yaml
env_file: '.env'
secret_name: <your_secret>
vault: aws
```
This default configuration will inject fetched secrets into `os.environ` of main process. If your app instead want to receive secrets as STDIN arguments, use `no_env: true` field.
This is a secure way than default control but app now should parse arguments itself.
```yaml
env_file: '.env'
secret_name: <your_secret>
vault: aws
no_env: true # Setting true will send KEY1=VAL1 secret pairs as command args
```
## Setting Up Your Injectable Secrets
**Step 2: Create or Configure a Secret File**
Create a new `.env` file with empty values for your secret keys. For example:
```bash
POSTGRES_USERNAME=
POSTGRES_PASSWORD=
```
**Note**: You can also control filename with `env_file` key in your `whispr.yaml`.
**Step 3: Authenticating to Your Vault (Ex:AWS)**
* Authenticate to AWS using Short-term credentials.
* Alternatively, set temporary AWS credentials using a config file or environment variables.
**Note**: Use respective authentication methods for other vaults.
## Launch any Application using Whispr
Now, you can run any app using: `whispr run '<your_app_command_with_args>'` (mind the single quotes around command) to inject your secrets before starting the subprocess.
Examples:
```bash
whispr run 'python main.py' # Inject secrets and run a Python program
whispr run 'node server.js --threads 4' # Inject secrets and run a Node.js express server
whispr run 'django manage.py runserver' # Inject secrets and start a Django server
whispr run '/bin/sh ./script.sh' # Inject secrets and run a custom bash script. Script should be permitted to execute
whispr run 'semgrep scan --pro' # Inject Semgrep App Token and scan current directory with Semgrep SAST tool.
```
## Programmatic Access
Whispr can also be used programmatically from Python code. See this guide for more information.
https://github.com/narenaryan/whispr/blob/docs/main/usage-guides/programmatic-access.md
# TODO
* Support HashiCorp Vault
* Support 1Password Vault
Raw data
{
"_id": null,
"home_page": null,
"name": "whispr",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.9",
"maintainer_email": null,
"keywords": "code-security, cybersecurity, devsecops, mitre-attack-framework, no-plain-secrets, whispr",
"author": null,
"author_email": "Naren Yellavula <naren.yellavula@gmail.com>",
"download_url": "https://files.pythonhosted.org/packages/70/07/f079d234f9276161404779cea54a95793efeafa29a4c938cd346dc33f2b5/whispr-0.3.0.tar.gz",
"platform": null,
"description": "[](https://pepy.tech/project/whispr)\n[](https://coveralls.io/github/narenaryan/whispr)\n\n# Whispr\n\n\n\nWhispr (Pronounced as whisper) is a CLI tool to safely inject secrets from your favorite secret vault (Ex: AWS Secrets Manager, Azure Key Vault etc.) into your app's environment. This is very useful for enabling secure local software development.\n\nWhispr uses keys (with empty values) specified in a `.env` file and fetches respective secrets from a vault, and sets them as environment variables before launching an application.\n\nKey Features of Whispr:\n\n* **Safe Secret Injection**: Fetch and inject secrets from your desired vault using HTTPS, SSL encryption, strict CERT validation.\n* **Just In Time (JIT) Privilege**: Set environment variables for developers only when they're needed.\n* **Secure Development**: Eliminate plain-text secret storage and ensure a secure development process.\n* **Customizable Configurations**: Configure project-level settings to manage multiple secrets for multiple projects.\n* **No Custom Scripts Required**: Whispr eliminates the need for custom bash scripts or cloud CLI tools to manage secrets, making it easy to get started.\n* **Easy Installation**: Cross-platform installation with PyPi.\n\nSupported Vault Technologies:\n\n\n\n\n# Why use Whispr ?\n\nThe MITRE ATT&CK Framework Tactic 8 (Credential Access) suggests that adversaries can exploit plain-text secrets and sensitive information stored in files like `.env`. It is essential to avoid storing\nsensitive information in unencrypted files. To help developers, Whispr can safely fetch and inject secrets from a vault into the current shell environment. This enables developers to securely manage\ncredentials and mitigate advisory exploitation tactics.\n\n\n# Installation and Setup\n\n## Installing Whispr\n\nTo get started with Whispr, simply run:\n\n```bash\npip install whispr\n```\n\n## Configuring Your Project\n\n**Step 1: Initialize Whispr**\n\nRun `whispr init <vault_type>` in your terminal to create a `whispr.yaml` file in your project root. This file will store your configuration settings.\n\nThe available vault types are: `aws`, `azure`, and `gcp`.\n\n**Example whispr.yaml contents (For: AWS):**\n```yaml\nenv_file: '.env'\nsecret_name: <your_secret>\nvault: aws\n```\nThis default configuration will inject fetched secrets into `os.environ` of main process. If your app instead want to receive secrets as STDIN arguments, use `no_env: true` field.\nThis is a secure way than default control but app now should parse arguments itself.\n\n```yaml\nenv_file: '.env'\nsecret_name: <your_secret>\nvault: aws\nno_env: true # Setting true will send KEY1=VAL1 secret pairs as command args\n```\n\n## Setting Up Your Injectable Secrets\n\n**Step 2: Create or Configure a Secret File**\n\nCreate a new `.env` file with empty values for your secret keys. For example:\n\n```bash\nPOSTGRES_USERNAME=\nPOSTGRES_PASSWORD=\n```\n\n**Note**: You can also control filename with `env_file` key in your `whispr.yaml`.\n\n**Step 3: Authenticating to Your Vault (Ex:AWS)**\n\n* Authenticate to AWS using Short-term credentials.\n* Alternatively, set temporary AWS credentials using a config file or environment variables.\n\n**Note**: Use respective authentication methods for other vaults.\n\n## Launch any Application using Whispr\n\nNow, you can run any app using: `whispr run '<your_app_command_with_args>'` (mind the single quotes around command) to inject your secrets before starting the subprocess.\n\nExamples:\n```bash\nwhispr run 'python main.py' # Inject secrets and run a Python program\nwhispr run 'node server.js --threads 4' # Inject secrets and run a Node.js express server\nwhispr run 'django manage.py runserver' # Inject secrets and start a Django server\nwhispr run '/bin/sh ./script.sh' # Inject secrets and run a custom bash script. Script should be permitted to execute\nwhispr run 'semgrep scan --pro' # Inject Semgrep App Token and scan current directory with Semgrep SAST tool.\n```\n\n## Programmatic Access\n\nWhispr can also be used programmatically from Python code. See this guide for more information.\n\nhttps://github.com/narenaryan/whispr/blob/docs/main/usage-guides/programmatic-access.md\n\n# TODO\n\n* Support HashiCorp Vault\n* Support 1Password Vault\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "A CLI tool to whisper your secrets between secure vault and your local environment",
"version": "0.3.0",
"project_urls": {
"Documentation": "https://github.com/narenaryan/whispr/blob/main/README.md",
"Issues": "https://github.com/narenaryan/whispr/issues",
"Source": "https://github.com/narenaryan/whispr"
},
"split_keywords": [
"code-security",
" cybersecurity",
" devsecops",
" mitre-attack-framework",
" no-plain-secrets",
" whispr"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "23b7ebe0a967a9cc51584fc72bb4e11a8101352852295a5d7352a7f4d32c9e67",
"md5": "fa44d23adac00c9c10287c992bec2e94",
"sha256": "40bc36cf77723ff03448f1ec490f32cf88e5199cd6bd6401eeec60b330427d82"
},
"downloads": -1,
"filename": "whispr-0.3.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "fa44d23adac00c9c10287c992bec2e94",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.9",
"size": 12259,
"upload_time": "2024-11-17T02:59:30",
"upload_time_iso_8601": "2024-11-17T02:59:30.746903Z",
"url": "https://files.pythonhosted.org/packages/23/b7/ebe0a967a9cc51584fc72bb4e11a8101352852295a5d7352a7f4d32c9e67/whispr-0.3.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "7007f079d234f9276161404779cea54a95793efeafa29a4c938cd346dc33f2b5",
"md5": "0d538145a1418359738c02d1b2c5a069",
"sha256": "d02e2ad9f22e4720802bd7d4414df67f3805483de7951bafcddca315bbbe30cf"
},
"downloads": -1,
"filename": "whispr-0.3.0.tar.gz",
"has_sig": false,
"md5_digest": "0d538145a1418359738c02d1b2c5a069",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.9",
"size": 165284,
"upload_time": "2024-11-17T02:59:32",
"upload_time_iso_8601": "2024-11-17T02:59:32.728807Z",
"url": "https://files.pythonhosted.org/packages/70/07/f079d234f9276161404779cea54a95793efeafa29a4c938cd346dc33f2b5/whispr-0.3.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-11-17 02:59:32",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "narenaryan",
"github_project": "whispr",
"travis_ci": false,
"coveralls": true,
"github_actions": true,
"requirements": [],
"lcname": "whispr"
}
JSON
