Infisical
feat(cli): plain secret value output
Description đŖ
User wasn't able to get its expanded/imported secrets as plain text when executing infisical secrets get FOO.
This PR includes the following to address the above issue :
đģ CLI
- Expand and import secrets when using
infisical secret get- Get the processed reference (e.g.
${dev.VAR1}) - Get the imported secrets (e.g. when imported variables from env A to env B, for now in the web app)
- Get the processed reference (e.g.
- Output plain value(s) without the secret name using the
--plainflag- For both
infisical secret&infisical secret get- Is it useful to implement such feature when printing all secrets (
infisical secret)? As the initial use case was to easily integrate with scripts by getting only a single Infisical secret value. I've implemented it for the sake of consistency, but it can be easily removed if needed.
- Is it useful to implement such feature when printing all secrets (
- e.g.
infisical secret get VAR1 --plain(more examples in the tests below)
- For both
đ Docs
- Updated the
/cli/commands/secretspage to add the new--plainflag
âšī¸ I've just updated the main feature in the official docs, but the CLI documentation should be automatically generated IMO (docs are outdated for now, 2024-02-08). Mintlify does support OpenAPI docs, but I haven't seen any support/integration for CLI docs auto-generation... (through cobra for example, or just from the man page)
Related issue
- https://github.com/Infisical/infisical/issues/1351
- https://github.com/Infisical/infisical/issues/845
- https://github.com/Infisical/infisical/pull/1532
Type â¨
- [ ] Bug fix
- [x] New feature
- [ ] Breaking change
- [x] Documentation
Tests đ ī¸
đģ CLI
Here's the Infisical project, development environment (imported in the staging environment too)
# --expand=true (default)
âââââââââââââââŦâââââââââââââââŦââââââââââââââ
â SECRET NAME â SECRET VALUE â SECRET TYPE â
âââââââââââââââŧâââââââââââââââŧââââââââââââââ¤
â VAR1 â value1 â shared â
â VAR2 â value2 â shared â
â VAR3 â value3 â shared â
â VAR4 â value1 â shared â
âââââââââââââââ´âââââââââââââââ´ââââââââââââââ
# --expand=false
âââââââââââââââŦâââââââââââââââŦââââââââââââââ
â SECRET NAME â SECRET VALUE â SECRET TYPE â
âââââââââââââââŧâââââââââââââââŧââââââââââââââ¤
â VAR1 â value1 â shared â
â VAR2 â value2 â shared â
â VAR3 â value3 â shared â
â VAR4 â ${VAR1} â shared â
âââââââââââââââ´âââââââââââââââ´ââââââââââââââ
Formatted
# get all secrets
./infisical-merge secrets
âââââââââââââââŦâââââââââââââââŦââââââââââââââ
â SECRET NAME â SECRET VALUE â SECRET TYPE â
âââââââââââââââŧâââââââââââââââŧââââââââââââââ¤
â VAR1 â value1 â shared â
â VAR2 â value2 â shared â
â VAR3 â value3 â shared â
â VAR4 â value1 â shared â
âââââââââââââââ´âââââââââââââââ´ââââââââââââââ
# get single secret (expanded)
./infisical-merge secrets get VAR1
âââââââââââââââŦâââââââââââââââŦââââââââââââââ
â SECRET NAME â SECRET VALUE â SECRET TYPE â
âââââââââââââââŧâââââââââââââââŧââââââââââââââ¤
â VAR1 â value1 â shared â
âââââââââââââââ´âââââââââââââââ´ââââââââââââââ
# get multiple secrets (expanded)
./infisical-merge secrets get VAR1 VAR2
âââââââââââââââŦâââââââââââââââŦââââââââââââââ
â SECRET NAME â SECRET VALUE â SECRET TYPE â
âââââââââââââââŧâââââââââââââââŧââââââââââââââ¤
â VAR1 â value1 â shared â
â VAR2 â value2 â shared â
âââââââââââââââ´âââââââââââââââ´ââââââââââââââ
Plain
# get all secrets
./infisical-merge secrets --plain
value1
value2
value3
value1
# get single secret (plain)
./infisical-merge secrets get VAR1 --plain
value1
# get multiple secrets (plain)
./infisical-merge secrets get VAR1 VAR2 --plain
value1
value2
# get single secret (raw)
./infisical-merge secrets get VAR4 --expand=false --plain
${VAR1}
# get multiple secrets (raw)
./infisical-merge secrets get VAR3 VAR4 --expand=false --plain
value3
${VAR1}
Imported
# get all secrets
./infisical-merge secrets --env stg
âââââââââââââââŦâââââââââââââââŦââââââââââââââ
â SECRET NAME â SECRET VALUE â SECRET TYPE â
âââââââââââââââŧâââââââââââââââŧââââââââââââââ¤
â VAR1 â value1 â shared â
â VAR2 â value2 â shared â
â VAR3 â value3 â shared â
â VAR4 â value1 â shared â
âââââââââââââââ´âââââââââââââââ´ââââââââââââââ
# get single secret
./infisical-merge secrets get VAR4 --env stg
âââââââââââââââŦâââââââââââââââŦââââââââââââââ
â SECRET NAME â SECRET VALUE â SECRET TYPE â
âââââââââââââââŧâââââââââââââââŧââââââââââââââ¤
â VAR4 â value1 â shared â
âââââââââââââââ´âââââââââââââââ´ââââââââââââââ
Use cases
# script (single value)
api_key="$(./infisical-merge secrets get VAR1 --plain)"
echo "$api_key"
value1
# script (multiple value)
api_key="$(./infisical-merge secrets get VAR1 VAR2 --plain)"
echo "$api_key"
value1
value2
đ Docs
Here's how to test the fix/feat regarding the --plain, --expand, --include-imports flags in the docs
# documentation preview
mintlify dev
# or with npx
npx mintlify dev
Head over to the below page :
- http://localhost:3000/cli/commands/secrets#sub-commands
CLI - Secrets
- [x] I have read the contributing guide, agreed and acknowledged the code of conduct. đ
Isn't this resolved by another PR. đ¤
Only partially by https://github.com/Infisical/infisical/pull/1532, but the discussion is undergoing with @maidul98 through slack.
This PR address additional issues to the infisical secret get command, adding and defaulting --expand and include-imports to true for example.
And the possibility to support multiple secret plain output (one per line), which isn't the case in #1532
Hey @Grraahaam, pr looks good to me. Thanks for adding the docs as well. Can you please fix the merge conflicts?
â ī¸ GitGuardian has uncovered 5 secrets following the scan of your pull request.
Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.
đ Detected hardcoded secrets in your pull request
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 9387833 | Triggered | Generic Password | 092665737fc337f4535c615316ba976837a515df | .env.example | View secret |
| 8529478 | Triggered | Generic High Entropy Secret | 092665737fc337f4535c615316ba976837a515df | .env.example | View secret |
| 9605380 | Triggered | Generic Private Key | 092665737fc337f4535c615316ba976837a515df | backend/e2e-test/routes/v3/secrets.spec.ts | View secret |
| 9605380 | Triggered | Generic Private Key | 092665737fc337f4535c615316ba976837a515df | backend/e2e-test/routes/v3/secrets.spec.ts | View secret |
| 9605381 | Triggered | Generic High Entropy Secret | 092665737fc337f4535c615316ba976837a515df | .env.test.example | View secret |
đ Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secrets safely. Learn here the best practices.
- Revoke and rotate these secrets.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
đĻ GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
![gitguardian[bot] avatar](https://avatars.githubusercontent.com/in/46505?v=4 "Published by a pub.dev verified publisher"){kind=small}
Merge conflicts resolved @maidul98 âđŊ
As discussed on Slack, I've left the --raw-value flag and deprecated it, I've added some backward compatibility tho to avoid breaking any CI/script currently running.
I've tested the latest commit and everything works as described previously, let me know if there's something more to fix before merging it!
Once merged this issue can be closed as well : https://github.com/Infisical/infisical/issues/1351