8000 GitHub - miltlima/secrethor-cli: πŸ” CLI for auditing Kubernetes Secrets: complements Secrethor Operator with orphan detection, search, and policy support.
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
/ secrethor-cli Public

πŸ” CLI for auditing Kubernetes Secrets: complements Secrethor Operator with orphan detection, search, and policy support.

License

Apache-2.0 license
6 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

miltlima/secrethor-cli

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

22 Commits
.chglog
.chglog
Β 
Β 
.github
.github
Β 
Β 
assets/images
assets/images
Β 
Β 
cmd
cmd
Β 
Β 
internal/secrethor
internal/secrethor
Β 
Β 
.gitignore
.gitignore
Β 
Β 
CHANGELOG.md
CHANGELOG.md
Β 
Β 
LICENSE
LICENSE
Β 
Β 
README.md
README.md
Β 
Β 
go.mod
go.mod
Β 
Β 
go.sum
go.sum
Β 
Β 
main.go
main.go
Β 
Β 
makefile
makefile
Β 
Β 

Repository files navigation

Secrethor Logo

License: Apache 2.0 GitHub release (latest by date) Go Version Build Status Go Report Card GitHub all releases GitHub last commit GitHub issues

Secrethor CLI

Secrethor CLI is a Kubernetes secret auditing tool that complements the Secrethor Operator.

Core Functionalities

1. Secret Scanning

  • Orphaned Secret Detection:
    • Automatically identifies secrets not used by any workload
    • Scans across all Kubernetes workload types:
      • Deployments
      • StatefulSets
      • DaemonSets
      • ReplicaSets
      • CronJobs
      • Jobs
      • Pods
    • Provides clear visual indicators (πŸ”’ for used, ❗ for orphaned)

2. Secret Search

  • Cross-Namespace Search:
    • Find secrets by name across all namespaces
    • Detailed information display:
      • βœ… Secret location (namespace/name)
      • πŸ” Secret type
      • πŸ“¦ Available data keys
    • Supports single namespace or all-namespace search

Features

  • Detect orphaned Secrets not used by any workload
  • Search for Secrets by name across namespaces
  • Clean, structured output
  • JSON/YAML export support

Workload Coverage

Secrethor CLI scans for secrets used in:

Workload Type Secret References Checked
Deployments - Environment variables
- Volume mounts
- Image pull secrets
StatefulSets - Environment variables
- Volume mounts
- Image pull secrets
DaemonSets - Environment variables
- Volume mounts
- Image pull secrets
ReplicaSets - Environment variables
- Volume mounts
- Image pull secrets
CronJobs - Environment variables
- Volume mounts
- Image pull secrets
Jobs - Environment variables
- Volume mounts
- Image pull secrets
Pods - Environment variables
- Volume mounts
- Image pull secrets

Installation

Install with go install

go install github.com/miltlima/secrethor-cli@latest

Or clone and build manually

git clone https://github.com/miltlima/secrethor-cli.git
cd secrethor-cli
go build -o secrethor-cli main.go

Flags

Flag Description
--namespace Namespace to scan (or all)
--output Output format: json, yaml, or default (table)
--verbose Enable detailed scan output

Usage Examples

Scan for Orphaned Secrets

# Scan all namespaces
secrethor-cli secrets orphan --namespace all

# Scan specific namespace
secrethor-cli secrets orphan --namespace default

# With verbose output
secrethor-cli secrets orphan --namespace all --verbose

# With different output format
secrethor-cli secrets orphan --namespace all --output json

Search for Specific Secrets

# Search across all namespaces
secrethor-cli secrets search my-secret-name --namespace all

# Search in specific namespace
secrethor-cli secrets search my-secret-name --namespace default

Output Format Examples

# Table output (default)
secrethor-cli secrets orphan --output table

# JSON output
secrethor-cli secrets orphan --output json

# YAML output
secrethor-cli secrets orphan --output yaml

Example Output

 _______                            __    __
|     __|.-----..----..----..-----.|  |_ |  |--..-----..----.
|__     ||  -__||  __||   _||  -__||   _||     ||  _  ||   _|
|_______||_____||____||__|  |_____||____||__|__||_____||
8000
__|


In-use Secrets
  NAMESPACE              NAME                  USED BY                                                                                                                                                      
                                                                                                                                                                                                            
  πŸ”’  mongo              my-mongo-db-config    StatefulSets/my-mongo-db, StatefulSets/my-mongo-db-arb, Pods/my-mongo-db-0, Pods/my-mongo-db-1, Pods/my-mongo-db-2                                           
  πŸ”’  secrethor-system   webhook-server-cert   Deployments/controller-manager, ReplicaSets/controller-manager-54486fd57, ReplicaSets/controller-manager-9d64b7c76, Pods/controller-manager-54486fd57-tcwd9  

Orphaned Secrets
  NAMESPACE          NAME                                      
                                                               
  ❗  cert-manager   cert-manager-webhook-ca                   
  ❗  default        allowed-secret                            
  ❗  default        both-ok                                   
  ❗  default        only-password                             
  ❗  default        only-username                             
  ❗  default        totally-unused                            
  ❗  dev            test-secret                               
  ❗  dev            test-secret1                              
  ❗  mongo          my-mongo-db-admin-my-user                 
  ❗  mongo          my-mongo-db-agent-password                
  ❗  mongo          my-mongo-db-keyfile                       
  ❗  mongo          my-user-password                          
  ❗  mongo          my-user-scram-scram-credentials           
  ❗  mongo          sh.helm.release.v1.community-operator.v1  

Summary
πŸ”‘  Secrets in total:   16
πŸ”’  Secrets in use:     2
❗  Orphaned secrets:   14

Project Structure

.
β”œβ”€β”€ CHANGELOG.md
β”œβ”€β”€ README.md
β”œβ”€β”€ cmd
β”‚Β Β  β”œβ”€β”€ expired_
β”‚Β Β  β”œβ”€β”€ orphan.go
β”‚Β Β  β”œβ”€β”€ root.go
β”‚Β Β  β”œβ”€β”€ search.go
β”‚Β Β  β”œβ”€β”€ secrets.go
β”‚Β Β  └── version.go
β”œβ”€β”€ go.mod
β”œβ”€β”€ go.sum
β”œβ”€β”€ internal
β”‚Β Β  └── secrethor
β”‚Β Β      β”œβ”€β”€ banner.go
β”‚Β Β      β”œβ”€β”€ expired_
β”‚Β Β      β”œβ”€β”€ orphan.go
β”‚Β Β      β”œβ”€β”€ search.go
β”‚Β Β      └── utils.go
β”œβ”€β”€ main.go
└── makefile

4 directories, 17 files

Contributing

We welcome contributions! Here's how you can help:

  • Report bugs by opening issues
  • Suggest new features
  • Submit pull requests
  • Improve documentation

Please ensure your commits follow conventional commit format for automatic versioning.

License

Apache License - see LICENSE file for details.

Built with ❀️ by Milton Lima de Jesus

About

πŸ” CLI for auditing Kubernetes Secrets: complements Secrethor Operator with orphan detection, search, and policy support.

Topics

kubernetes cli golang secrets

Resources

Readme

License

Apache-2.0 license
Activity

Stars

6 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases 3

Release v0.1.3 Latest
Apr 18, 2025
+ 2 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages
0