README
ΒΆ
dsops β Developer Secret Operations
A fast, cross-platform CLI that pulls secrets from your vault(s) and renders
.env*files or launches commands with ephemeral environment variables.
π Quick Start
# Initialize a new project
dsops init
# Preview what secrets will be resolved (no values shown)
dsops plan --env development
# Run your app with ephemeral environment variables (no files on disk)
dsops exec --env development -- npm start
# Optionally render a .env file (explicit opt-in)
dsops render --env production --out .env.production
β¨ Features
- Ephemeral First: Secrets are injected into process environment, not written to disk by default
- Provider Agnostic: Works with password managers (1Password, Bitwarden) and cloud secret stores (AWS, GCP, Azure)
- Safe by Default: All logs redact sensitive values; no secrets in crash dumps
- Flexible Output: Generate
.envfiles, JSON, YAML, or custom templates - Transform Pipeline: Built-in transforms for JSON extraction, base64 encoding/decoding, and more
- Cross Platform: Works on macOS, Linux, and Windows
π¦ Installation
Homebrew (macOS/Linux)
brew install systmms/tap/dsops
Go Install
go install github.com/systmms/dsops/cmd/dsops@latest
Download Binary
Download the latest release from GitHub Releases.
ποΈ Configuration
Create a dsops.yaml file in your project root:
version: 0
providers:
onepassword:
type: onepassword
aws_sm:
type: aws.secretsmanager
region: us-east-1
envs:
development:
DATABASE_URL:
from: { provider: onepassword, key: "op://Dev/MyApp/DATABASE_URL" }
API_SECRET:
from: { provider: aws_sm, key: "myapp/dev/api" }
transform: json_extract:.secret
DEBUG:
literal: "true"
π§ Commands
| Command | Description |
|---|---|
dsops init |
Initialize a new dsops configuration |
dsops plan --env <name> |
Preview which secrets will be resolved |
dsops exec --env <name> -- <command> |
Run command with ephemeral environment |
dsops render --env <name> --out <file> |
Generate environment file |
dsops get --key <var> |
Get a single secret value |
dsops doctor |
Check provider connectivity |
dsops providers |
List available providers |
π Supported Providers
Password Managers
- 1Password (
onepassword) - viaopCLI - Bitwarden (
bitwarden) - viabwCLI
Cloud Secret Stores
- AWS Secrets Manager (
aws.secretsmanager) - AWS Systems Manager Parameter Store (
aws.ssm) - Google Cloud Secret Manager (
gcp.secretmanager) - Azure Key Vault (
azure.keyvault) - HashiCorp Vault (
hashicorp.vault)
π Transforms
Built-in transforms for processing secret values:
envs:
production:
DATABASE_URL:
from: { provider: aws_sm, key: "db-config" }
transform: json_extract:.url # Extract JSON field
JWT_KEY:
from: { provider: onepassword, key: "op://Prod/JWT/private_key" }
transform: multiline_to_single # Convert multiline to single line
Available transforms:
json_extract:.path- Extract value from JSONbase64_decode/base64_encode- Base64 operationstrim- Remove whitespacemultiline_to_single- Convert multiline strings- Custom transform chains supported
π‘οΈ Security
dsops is designed with security as the top priority:
- No Disk Residue: Secrets exist only in memory by default
- Process Isolation: Child processes get secrets; parent process never sees them
- Redacted Logging: All logs automatically redact sensitive values
- Crash Safety: Panic handler prevents secrets from appearing in crash dumps
- Minimal Cache: Optional encrypted keychain storage only
πββοΈ Development
# Set up development environment
make setup
# Run tests
make test
# Build binary
make build
# Run with debug logging
make dev
π License
Licensed under the Apache License, Version 2.0. See LICENSE for details.
π€ Contributing
We welcome contributions! Please see CONTRIBUTING.md for guidelines.
π Documentation
For detailed documentation, see the docs directory or visit our documentation site.
Directories
ΒΆ
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
dsops
command
|
|
|
internal
|
|
|
rotation/gradual
Package gradual provides gradual rollout strategies for rotation operations.
|
Package gradual provides gradual rollout strategies for rotation operations. |
|
rotation/gradual/discovery
Package discovery provides instance discovery for gradual rollout.
|
Package discovery provides instance discovery for gradual rollout. |
|
rotation/health
Package health provides health monitoring functionality for rotation operations.
|
Package health provides health monitoring functionality for rotation operations. |
|
rotation/notifications
Package notifications provides notification infrastructure for rotation events.
|
Package notifications provides notification infrastructure for rotation events. |
|
rotation/rollback
Package rollback provides automatic and manual rollback functionality for rotation operations.
|
Package rollback provides automatic and manual rollback functionality for rotation operations. |
|
pkg
|
|
|
exec
Package exec provides abstractions for command execution.
|
Package exec provides abstractions for command execution. |
|
provider
Package provider defines the core interfaces and types for secret store providers in dsops.
|
Package provider defines the core interfaces and types for secret store providers in dsops. |
|
rotation
Package rotation provides interfaces and types for secret value rotation in dsops.
|
Package rotation provides interfaces and types for secret value rotation in dsops. |
|
secretstore
Package secretstore provides interfaces and types for secret storage systems in dsops.
|
Package secretstore provides interfaces and types for secret storage systems in dsops. |
|
tests
|
|
|
fakes
Package fakes provides test doubles for dsops testing.
|
Package fakes provides test doubles for dsops testing. |
|
testutil
Package testutil provides testing utilities for dsops.
|
Package testutil provides testing utilities for dsops. |
Click to show internal directories.
Click to hide internal directories.