Logo
Deploy Now

Stars

27827

Forks

2078

Watchers

70

Developer links

Infisical

API keys hardcoded in repos, database passwords pasted into CI variables, .env files emailed between developers - Infisical, the open-source platform for secrets, certificates, and privileged access management, is the answer to all three. Secrets live in versioned stores scoped by project, environment, and path, with fine-grained identity-aware access control and full audit logging on every read and change. Delivery covers every consumption pattern: CLI injection into local dev, SDKs for Go, Node.js, and Python, an HTTP API, agents, a Kubernetes Operator, and secret syncs that push to GitHub, GitLab, AWS Secrets Manager, and Vercel. Automatic rotation replaces credentials for PostgreSQL, MySQL, MSSQL, LDAP, AWS IAM, and Azure on a rolling schedule - new credentials issue while old ones stay temporarily valid, so nothing breaks mid-rotation. Dynamic secrets go further, generating ephemeral, time-bound database credentials on demand, and SSH access replaces static keys with short-lived CA-signed certificates that expire automatically. Secrets scanning catches hardcoded credentials in code and pipelines, certificate management automates X.509 issuance and renewal, and a built-in KMS handles encrypt/decrypt with central key control. Self-hosting keeps the keys to everything else on your own infrastructure.

Infisical

Benefits

  • End Secret Sprawl
  • One versioned, audited source of truth replaces .env files, CI variables, and credentials scattered across codebases.
  • Credentials That Expire
  • Dynamic secrets and SSH certificates are time-bound by design - a leaked credential dies on its own instead of living for years.
  • Rotation Without Outages
  • Rolling rotation keeps old credentials temporarily valid while new ones deploy, so services never break mid-swap.
  • The Keys Stay With You
  • Self-hosting your secrets manager means the most sensitive system in your stack isn't itself a third-party dependency.

Features

  • Versioned Secret Stores
  • Secrets scoped by project, environment, and path with history and point-in-time recovery.
  • Automatic Rotation
  • Scheduled credential replacement for PostgreSQL, MySQL, MSSQL, LDAP, AWS IAM, Azure, and more.
  • Dynamic Secrets
  • Ephemeral, on-demand credentials for databases and services with automatic expiry.
  • SSH Certificate Access
  • Short-lived CA-signed certificates replace static SSH keys - no manual revocation needed.
  • Secrets Scanning
  • Detect hardcoded credentials in code and CI pipelines across GitHub, GitLab, and Bitbucket.
  • Universal Delivery
  • CLI, SDKs, HTTP API, Kubernetes Operator, and syncs to external secret stores.