Techly NewsGet the app

Get the latest tech news

SecretSpec: Declarative Secrets Management


Fast, Declarative, Reproducible, and Composable Developer Environments using Nix

Apps are disconnected from their secrets- applications lack a clear contract about which secrets they need Parsing.env is unclear- comments, multiline values, and special characters all have ambiguous behavior across different parsers Password manager integration is difficult- requiring manual copy-paste or template workarounds Vendor lock-in- applications use custom parsing logic, making it hard to switch providers No encryption-.env files are stored as plain text, vulnerable to accidental commits or unauthorized access Larger teams often adopt solutions like OpenBao(the open source fork of HashiCorp Vault), requiring significant infrastructure and operational overhead. Now, here's the magic: You(on macOS): Store it in Keychain, retrieve with secretspec --provider keyring run -- cmd args Your teammate(on Linux): Store it in GNOME Keyring, same command works That one developer: Still uses a.env file locally (we don't judge, we've been there) CI/CD: Reads from environment variables in GitHub Actions secretspec --provider env run -- cmd args Production: Secrets get provisioned using AWS Secret Manager

Get the Android app

Or read this on Hacker News

Read more on:

Photo of SecretSpec

SecretSpec

« 8 ways I quickly leveled up my Linux skills - and you can too
Adin Ross video of Stake “scamming” $20K is one big misunderstanding »