Replace secret environment variables with reference tags
Gather all secrets from your GitHub Actions environment variables and use the SecretHub CLI to safely store them in a centralized location.
Simply add secrethub:// reference tags to your .github/actions/<workflow>.yml file to automatically load secrets at runtime:
A single source of truth for your secrets
With your secrets centralized you know that when a value is updated, GitHub Actions and all other tools will have it on the next run.
- No more manually syncing the GitHub Actions Environment Variables GUI
- No more evaluations of each tool's own secret store
Develop and maintain pipelines without breaking them
Secrets shouldn't get in the way when you're developing pipelines. Leverage the powerful reference syntax for cleaner, more predictable, and reproducible GitHub Actions pipelines:
Pin secret versions
secrethub://company/app/docker/password:latestsecrethub://company/app/docker/password:2
Switch secrets between environments
secrethub://company/app/prod/aws/secret_access_keysecrethub://company/app/staging/aws/secret_access_key
Run workflows locally too
The missing piece to achieving dev/prod parity when running GitHub Actions workflows locally as loading secrets now works in the same way no matter where you're running.
Prevent accidents and leaks
Mistakes are easily made. Keep your peace of mind and ensure your GitHub Actions logs won't give away the keys to the kingdom.
- All secret values are automatically masked from log output
- Secrets are end-to-end encrypted and plaintext values only exist in memory during the lifetime of a job
- No more insecure and wonky workarounds for the 100-secrets and 64-KB limits
Control & monitor when GitHub Actions reads secrets
Every time your GitHub Actions job starts, secret reads gets recorded on the audit log. Restrict access to only the secrets it needs and know that you can revoke access with a single command.
Managing secrets for most CI tools is a pain in the ass. The only way to define secrets is to manually define them as env vars in the GUI, which takes a lot of time. This is fine for 1 project, but we have over 180 projects so that's not an option. SecretHub is a big time saver in that regard. It's really easy to use and I got a pipeline with secrets up and running within half an hour!
Every day I have clients that have cleartext passwords or need to manage various password vaults. The common denominator is that code becomes a security risk, and it becomes extremely cumbersome to deploy applications and share secrets. With SecretHub, I can now develop, test and deploy without a single secret anywhere near my code or tools. This is what the industry has needed for a long long time!
We've tried pretty much every solution out there for secrets management and SecretHub is The Thing filling the void in our pipeline. The experience was super nice: we had zero friction integrating SecretHub with our infrastructure.
By injecting passwords and tokens with the template tags, we’re now able to keep our application config files the same throughout the entire DTAP street. This is a real time saver, especially when you do a dedicated DTAP pipeline per customer.
Be up and running in no time
Follow the step-by-step guide and you'll be loading secrets into GitHub Actions today.
