Metadata-Version: 2.3
Name: whispr
Version: 0.1.1
Summary: A CLI tool to whisper your secrets between secure vault and your local environment
Project-URL: Documentation, https://github.com/narenaryan/whispr/blob/main/README.md
Project-URL: Issues, https://github.com/narenaryan/whispr/issues
Project-URL: Source, https://github.com/narenaryan/whispr
Author-email: Naren Yellavula <naren.yellavula@gmail.com>
License-Expression: MIT
License-File: LICENSE
Keywords: code-security,cybersecurity,devsecops,mitre-attack-framework,no-plain-secrets,whispr
Classifier: Development Status :: 4 - Beta
Classifier: Programming Language :: Python
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: Implementation :: CPython
Classifier: Programming Language :: Python :: Implementation :: PyPy
Requires-Python: >=3.9
Requires-Dist: azure-identity==1.19.0
Requires-Dist: azure-keyvault==4.2.0
Requires-Dist: boto3==1.35.42
Requires-Dist: click==8.1.7
Requires-Dist: google-cloud-secret-manager==2.20.2
Requires-Dist: hvac==2.3.0
Requires-Dist: python-dotenv==1.0.1
Requires-Dist: pyyaml==6.0.2
Requires-Dist: structlog==24.4.0
Description-Content-Type: text/markdown

# Whispr

![Logo](./logo.png)

Whispr (Pronounced as whisp-r) is a CLI tool to safely inject secrets from your favorite secret vault (Ex: AWS Secrets Manager, Azure Key Vault etc.) into your app's environment. This is very useful for enabling secure local software development.

Whispr uses keys (with empty values) specified in a `.env` file and fetches respective secrets from a vault, and sets them as environment variables before launching an application.

Key Features of Whispr:

* **Safe Secret Injection**: Fetch and inject secrets from your desired vault using HTTPS, SSL encryption, strict CERT validation.
* **Just In Time (JIT) Privilege**: Set environment variables for developers only when they're needed.
* **Secure Development**: Eliminate plain-text secret storage and ensure a secure development process.
* **Customizable Configurations**: Configure project-level settings to manage multiple secrets for multiple projects.
* **No Custom Scripts Required**: Whispr eliminates the need for custom bash scripts or cloud CLI tools to manage secrets, making it easy to get started.
* **Easy Installation**: Cross-platform installation with PyPi.

Supported Vault Technologies:

![Supported-vaults](./whispr-supported.png)


# Why use Whispr ?

The MITRE ATT&CK Framework Tactic 8 (Credential Access) suggests that adversaries can exploit plain-text secrets and sensitive information stored in files like `.env`. It is essential to avoid storing
sensitive information in unencrypted files. To help developers, Whispr can safely fetch and inject secrets from a vault into the current shell environment. This enables developers to securely manage
credentials and mitigate advisory exploitation tactics.


# Installation and Setup

## Installing Whispr

To get started with Whispr, simply run:

```bash
pip install whispr
```

## Configuring Your Project

**Step 1: Initialize Whispr**

Run `whispr init` in your terminal to create a `whispr.yaml` file in your project root. This file will store your configuration settings.

**Example whispr.yaml contents (For: AWS):**
```yaml
env_file: '.env'
secret_name: <your_secret>
vault: aws
```

## Setting Up Your Injectable Secrets

**Step 2: Create or Configure a Secret File**

Create a new `.env` file with empty values for your secret keys. For example:

```bash
POSTGRES_USERNAME=
POSTGRES_PASSWORD=
```

**Note**: You can also control filename with `env_file` key in your `whispr.yaml`.

**Step 3: Authenticating to Your Vault (Ex:AWS)**

*   Authenticate to AWS via `aws sso login`.
*   Alternatively, set temporary AWS credentials using a config file or environment variables.
  
**Note**: Use respective authentication methods for other vaults.

## Launch any Application using Whispr

Now, you can run any app using: `whispr run '<your_app_command_with_args>'` (mind the single quotes around command) to inject your secrets before starting the subprocess.

Examples:
```bash
whispr run 'python main.py' # Inject secrets and run a Python program
whispr run 'node server.js --threads 4' # Inject secrets and run a Node.js express server
whispr run 'django manage.py runserver' # Inject secrets and start a Django server
whispr run '/bin/sh ./script.sh' # Inject secrets and run a custom bash script. Script should be permitted to execute
whispr run 'semgrep scan --pro' # Inject Semgrep App Token and scan current directory with Semgrep SAST tool.
```

## Whispr Architecture

![Supported-vaults](./whispr-arch.png)

# TODO

* Add unit tests
* Support HashiCorp Vault
* Support 1Password Vault
