Skip to content

Secrets Bridge

Unified secrets control plane

SecretsBridge

The brain behind your secrets.

A distributed secrets control plane that connects and governs secrets across every provider — without replacing the tools your teams already use. One brain, every provider. Values stay home.

Try it locally Read the architecture Star on GitHub

Why Secrets Bridge

  •  Workflow-gated reads & writes

    Developers request access through configurable workflows. Approvers vote. Agents fetch (or write) values. Every value is single-shot, audited, and KMS-wrapped at rest.

  •  SOC2-ready audit

    The audit_events table is append-only at the schema layer — BEFORE UPDATE / BEFORE DELETE triggers reject mutations. Every action emits a correlation ID you can drill into.

  •  No KMS lock-in

    Three backends ship today behind one SB_KMS_BACKEND knob: local (dev), vault-transit (OSS production), aws-kms (AWS production). Bring your own. No cloud lock-in.

  •  Plaintext never on the wire

    TLS + per-direction wire-envelope encryption (X25519 for CP→Agent, KMS-DEK + AES-GCM for Agent→CP). Even a TLS-terminating proxy in your mesh sees only ciphertext.

Who this is for

  • Regulated teams (fintech, healthtech, defence-adjacent) where "everyone has full Vault read access" is no longer an answer your auditor will accept.
  • Platform teams standing up multi-cluster / multi-account secrets governance from scratch.
  • Compliance engineers who need a real audit trail (correlation IDs, immutable rows, value-free metadata) without reaching for an SIEM bolt-on.

How it's different

Secrets Bridge Direct Vault AWS Secrets Manager + IAM Most "secrets SaaS"
Multi-provider ✅ Vault + AWS + Azure + GCP Vault only AWS only Varies
Workflow approval per read ✅ Built-in Plugin / RFC Some
Single-shot reveal-once UX ✅ Built-in Some
Append-only audit at schema ✅ Postgres triggers ❌ application-layer CloudTrail (not append-only) Varies
Self-hostable ✅ OSS, no SaaS dependency n/a
KMS choice ✅ Vault Transit / AWS KMS / local n/a AWS KMS only Provider-controlled
Agent uses only outbound traffic ✅ Loopback probes; no inbound n/a n/a Varies

What it doesn't do (yet)

  • OIDC SSO lands as a follow-up — today the api ships with a local-admin email/password flow plus a JWT issued via HS256.
  • Per-tenant KMS scoping — one CMK per deployment for now; multi-tenant scoping is the next major slice.
  • Slack / PagerDuty notifications — webhook is in; native sinks are stubs.
  • GCP Secret Manager + Azure Key Vault discovery — the agent's resolvers ship Vault + AWS-SM today; the others land per design partner request.

🚧 Pre-v1.0

The architectural foundation is solid (BRD-aligned, polyrepo, infra-free core, type-safe Go), but several P0 items from the SECURITY_REVIEW are still open: real OIDC, agent workload identity, rate limiting, key-rotation runbook. We're tracking them on the org project board.

If you'd like to be a design partner — particularly if you're in financial services, healthcare, or government-adjacent — please open an issue at secrets-bridge/.github.