Categories
Self-Hosted Open Source Developer Tools DevOps Security Infrastructure Encryption Secrets ManagementStars
Forks
Watchers
Developer links
Infisical
API keys hardcoded in repos, database passwords pasted into CI variables, .env files emailed between developers - Infisical, the open-source platform for secrets, certificates, and privileged access management, is the answer to all three. Secrets live in versioned stores scoped by project, environment, and path, with fine-grained identity-aware access control and full audit logging on every read and change. Delivery covers every consumption pattern: CLI injection into local dev, SDKs for Go, Node.js, and Python, an HTTP API, agents, a Kubernetes Operator, and secret syncs that push to GitHub, GitLab, AWS Secrets Manager, and Vercel. Automatic rotation replaces credentials for PostgreSQL, MySQL, MSSQL, LDAP, AWS IAM, and Azure on a rolling schedule - new credentials issue while old ones stay temporarily valid, so nothing breaks mid-rotation. Dynamic secrets go further, generating ephemeral, time-bound database credentials on demand, and SSH access replaces static keys with short-lived CA-signed certificates that expire automatically. Secrets scanning catches hardcoded credentials in code and pipelines, certificate management automates X.509 issuance and renewal, and a built-in KMS handles encrypt/decrypt with central key control. Self-hosting keeps the keys to everything else on your own infrastructure.
Benefits
- End Secret Sprawl
- One versioned, audited source of truth replaces .env files, CI variables, and credentials scattered across codebases.
- Credentials That Expire
- Dynamic secrets and SSH certificates are time-bound by design - a leaked credential dies on its own instead of living for years.
- Rotation Without Outages
- Rolling rotation keeps old credentials temporarily valid while new ones deploy, so services never break mid-swap.
- The Keys Stay With You
- Self-hosting your secrets manager means the most sensitive system in your stack isn't itself a third-party dependency.
Features
- Versioned Secret Stores
- Secrets scoped by project, environment, and path with history and point-in-time recovery.
- Automatic Rotation
- Scheduled credential replacement for PostgreSQL, MySQL, MSSQL, LDAP, AWS IAM, Azure, and more.
- Dynamic Secrets
- Ephemeral, on-demand credentials for databases and services with automatic expiry.
- SSH Certificate Access
- Short-lived CA-signed certificates replace static SSH keys - no manual revocation needed.
- Secrets Scanning
- Detect hardcoded credentials in code and CI pipelines across GitHub, GitLab, and Bitbucket.
- Universal Delivery
- CLI, SDKs, HTTP API, Kubernetes Operator, and syncs to external secret stores.