You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
All provider features (gcsm, awssm, vault) are now enabled by default
AWS Secrets Manager (awssm) provider: batch fetching via BatchGetSecretValue API,
reducing N sequential API calls to ceil(N/20) batched calls. For 30 secrets this means
2 API calls instead of 30. Note: requires the secretsmanager:BatchGetSecretValue
IAM permission in addition to existing permissions.
Install secretspec 0.8.2
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/cachix/secretspec/releases/download/v0.8.2/secretspec-installer.sh | sh
rsa_private_key secret generation type: generates RSA private keys in PKCS1 PEM format,
defaults to 2048 bits, configurable via generate = { bits = 4096 }
Fixed
Check provider authentication (e.g. OnePassword, LastPass) before prompting
user for secrets, via a PreflightGuard that runs the check exactly once
per provider instance
Install secretspec 0.8.1
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/cachix/secretspec/releases/download/v0.8.1/secretspec-installer.sh | sh
HashiCorp Vault / OpenBao (vault) provider for Vault KV v1/v2 secret storage, with support
for namespaces, TLS configuration, and OpenBao compatibility (requires --features vault)
Support running secretspec from subdirectories: the CLI now walks up the directory tree to find the nearest secretspec.toml, similar to cargo and git. Also adds a -f/--file flag (and SECRETSPEC_FILE env var) to explicitly specify the config file path (#59)
Changed
Extract shared block_on async helper from AWSSM and GCSM providers into provider::block_on
Fixed
GCSM provider no longer panics when called from within an existing tokio runtime
Install secretspec 0.8.0
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/cachix/secretspec/releases/download/v0.8.0/secretspec-installer.sh | sh
Keyring and pass providers now support folder_prefix via URI (e.g., keyring://secretspec/shared/{profile}/{key})
to share secrets across projects, matching the existing OnePassword and LastPass behavior
Changed
Support XDG_CONFIG_HOME on macOS by switching from directories to etcetera crate.
Existing macOS configs at ~/Library/Application Support/secretspec/ are automatically
migrated to ~/.config/secretspec/ (#28)
Fixed
Reject empty values when setting a secret
Install secretspec 0.7.2
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/cachix/secretspec/releases/download/v0.7.2/secretspec-installer.sh | sh
Declarative secret generation: secrets can now be auto-generated when missing by adding type and generate fields to secret config. Supported types: password, hex, base64, uuid, and command (for arbitrary shell commands). Generation triggers during check/run
when a secret is missing, and the generated value is stored via the configured provider.
Changed
OnePassword provider: Significant performance improvement by caching authentication status
and using batch fetching with parallel threads. Reduces CLI calls from 2N sequential to
~2 sequential + N parallel for N secrets.
Install secretspec 0.7.0
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/cachix/secretspec/releases/download/v0.7.0/secretspec-installer.sh | sh
CLI: Add --no-prompt (-n) flag to secretspec check command for non-interactive mode.
When used, the command exits with non-zero status if secrets are missing instead of prompting for values.
Useful for CI/CD pipelines, scripts, and automation. (#55)
Install secretspec 0.6.2
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/cachix/secretspec/releases/download/v0.6.2/secretspec-installer.sh | sh
OnePassword provider: Fix duplicate item creation when existing item has no extractable value.
Now uses op item list for existence checks and updates by item ID to avoid ambiguity.
OnePassword provider: Handle "More than one item matches" error gracefully by falling back to ID-based lookup.
Install secretspec 0.6.1
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/cachix/secretspec/releases/download/v0.6.1/secretspec-installer.sh | sh
