Skip to content

Changelog

All notable changes to SecretZero are documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

Planned

  • Web UI for secret management
  • Kubernetes Operator
  • Terraform Provider
  • Notification webhooks
  • Database backend for lockfile

[0.7.0] - 2026-02-16

Added - Phase 7: API Service

REST API Server

  • FastAPI-based HTTP API for programmatic management
  • Modern async Python web framework
  • Automatic OpenAPI schema generation
  • Built-in Pydantic validation
  • CORS middleware for web frontend integration
  • Global error handling with consistent responses
  • Server entry point via secretzero-api command

API Endpoints

  • GET / - API information and version
  • GET /health - Health check endpoint
  • POST /config/validate - Validate Secretfile configuration
  • GET /secrets - List all secrets
  • GET /secrets/{name}/status - Get secret status from lockfile
  • POST /sync - Generate and sync secrets to targets
  • POST /rotation/check - Check rotation status
  • POST /rotation/execute - Execute secret rotation
  • POST /policy/check - Validate against policies
  • POST /drift/check - Detect configuration drift
  • GET /audit/logs - Retrieve audit log entries

Authentication & Security

  • API key authentication via X-API-Key header
  • Timing-safe key comparison with SHA-256 hashing
  • Audit logging for all operations
  • Optional authentication mode for development

Documentation

  • Swagger UI at /docs for interactive exploration
  • ReDoc at /redoc for alternative documentation
  • OpenAPI spec at /openapi.json for machine consumption
  • API Getting Started Guide with examples
  • Python client example for programmatic usage

Testing

  • 23 comprehensive API tests
  • Authentication scenarios (valid, invalid, missing)
  • All endpoint coverage
  • Error handling tests
  • 100% endpoint test coverage

Changed

  • Optional Dependencies: Added api extra with FastAPI and Uvicorn
  • Development Dependencies: Added httpx and pytest-asyncio for async testing

Performance

  • Health check: <1ms response time
  • List secrets: ~5-10ms
  • Sync operations: ~10-20ms per secret
  • Stateless design for horizontal scaling

[0.6.0] - 2026-02-16

Added - Phase 6: Advanced Features

Secret Rotation System

  • Rotation period parsing supporting days (d), weeks (w), months (m), years (y)
  • Rotation tracking in lockfile with last_rotated timestamp and rotation_count
  • Automatic due date calculation for scheduled rotation
  • One-time secret handling with warnings for rotation attempts
  • CLI command secretzero rotate with dry-run and force options

Policy System

  • Rotation policies enforcing rotation requirements and max age
  • Compliance policies for SOC2 and ISO27001 standards
  • Access control policies for allowed/denied target types
  • Policy violations with detailed reporting and remediation suggestions
  • CLI command secretzero policy with --fail-on-warning flag

Drift Detection

  • Drift detector comparing lockfile state with actual targets
  • Detection capabilities for missing secrets, files, and corrupted entries
  • CLI command secretzero drift for status checking
  • Remediation suggestions for detected drift

Multi-Environment Support (Partial)

  • Variable interpolation supporting environment-specific values
  • Provider profiles for multiple configurations
  • Environment-specific policies framework
  • Full implementation deferred to Phase 7

Testing

  • 40 new tests (184 total)
  • test_rotation.py: 18 tests for rotation logic
  • test_policy.py: 12 tests for policy enforcement
  • test_lockfile_rotation.py: 10 tests for lockfile tracking
  • 100% test pass rate

  • 90% coverage on new modules

Changed

  • Lockfile schema extended with rotation metadata
  • Secretfile schema now supports policies section
  • Metadata supports compliance standards list

[0.5.0] - 2026-02-16

Added - Phase 5: Kubernetes & Container Support

Kubernetes Provider

  • Full cluster integration with kubeconfig, in-cluster, and token authentication
  • Multiple auth methods supporting various deployment scenarios
  • Automatic cluster version detection and connectivity verification
  • Context selection for multi-cluster configurations

Kubernetes Secret Target

  • Native Secret management with create/update idempotency
  • All secret types supported: Opaque, TLS, Docker, BasicAuth, SSH
  • Namespace support for multi-environment deployments
  • Labels and annotations for metadata tracking
  • Base64 encoding handled automatically

External Secrets Operator Support

  • Manifest generation for GitOps workflows
  • Multi-backend support: AWS, Azure, Vault, and custom backends
  • Refresh intervals for configurable sync frequencies
  • SecretStore references for integration with existing stores
  • YAML output for Git-tracked configurations

Examples & Documentation

  • kubernetes-basic.yml (119 lines) - Basic secret management
  • kubernetes-multi-namespace.yml (168 lines) - Multi-environment deployment
  • kubernetes-external-secrets.yml (127 lines) - External Secrets Operator
  • kubernetes-complete.yml (259 lines) - Complete reference with RBAC

Testing

  • 19 new tests (161 total, 144 passing)
  • Provider tests: 9 tests for authentication and connectivity
  • Secret target tests: 6 tests for CRUD operations
  • External secret tests: 4 tests for manifest generation
  • 84% provider coverage, 49% target coverage

Security

  • RBAC documentation with minimal permissions
  • Namespace isolation enforced
  • Base64 encoding for Kubernetes Secret data
  • ServiceAccount tokens for in-cluster authentication

[0.4.0] - 2026-02-16

Added - Phase 4: CI/CD Integration

GitHub Actions Integration

  • Token-based authentication with Personal Access Tokens
  • Repository secrets for workflow-level storage
  • Environment secrets with environment-specific scoping
  • Organization secrets with configurable visibility
  • PyNaCl encryption using repository public keys

GitLab CI/CD Integration

  • Token-based authentication supporting PAT and OAuth
  • Project variables with environment scoping
  • Group variables with inheritance across hierarchy
  • Protected variables for protected branches only
  • Masked variables hidden in job logs
  • File variables written to temporary files

Jenkins Integration

  • Token-based authentication with username + API token
  • String credentials for simple text secrets
  • Username/password credentials for login pairs
  • Credential scoping (global, folder-specific)
  • XML API with Groovy script fallback

Examples & Documentation

  • github-actions.yml - GitHub Actions integration guide
  • gitlab-cicd.yml - GitLab CI/CD integration guide
  • jenkins-credentials.yml - Jenkins integration guide
  • multi-cicd.yml - Multi-platform integration

Testing

  • 35 new tests (140 total)
  • GitHub provider: 11 tests
  • GitLab provider: 11 tests
  • Jenkins provider: 13 tests
  • All tests passing with 80-81% coverage on new code

Dependencies

  • PyGithub>=2.1.0 - GitHub API client
  • PyNaCl>=1.5.0 - GitHub secret encryption
  • python-gitlab>=4.0.0 - GitLab API client
  • python-jenkins>=1.8.0 - Jenkins API client
  • New cicd optional dependency group

[0.3.0] - 2026-02-16

Added - Phase 3: Cloud Provider Integration

AWS Provider

  • Ambient authentication using default credential chain
  • Profile-based authentication with named AWS profiles
  • Assume role authentication for cross-account access
  • Secrets Manager target with automatic version tracking
  • SSM Parameter Store target with SecureString support

Azure Provider

  • Default credential authentication using Azure credential chain
  • Managed Identity authentication for Azure resources
  • Azure CLI authentication for development
  • Key Vault target with automatic versioning

HashiCorp Vault Provider

  • Token authentication for direct access
  • AppRole authentication for machine-oriented auth
  • KV v1 and v2 support with automatic versioning
  • Namespace support for Vault Enterprise

Provider Infrastructure

  • Base provider class with standardized interface
  • Provider registry for centralized lifecycle management
  • Authentication abstraction with pluggable auth handlers
  • Connection testing for all providers
  • Graceful degradation for missing dependencies

Testing

  • 23 new tests (105 total)
  • Base provider: 8 tests
  • Registry: 8 tests
  • AWS provider: 3 tests (mocked)
  • Azure provider: 2 tests (mocked)
  • Vault provider: 2 tests (mocked)
  • 57% overall coverage, 75%+ on core modules

Dependencies

  • boto3>=1.26.0 - AWS SDK (optional)
  • azure-identity>=1.12.0 - Azure authentication (optional)
  • azure-keyvault-secrets>=4.7.0 - Azure Key Vault (optional)
  • hvac>=1.0.0 - Vault client (optional)
  • New all optional dependency group

[0.2.0] - 2026-02-16

Added - Phase 2: Secret Generation & Local Storage

Generators

  • Random password generator with configurable character sets
  • Cryptographically secure using Python's secrets module
  • Configurable length, character types, exclusions
  • Random string generator with multiple charsets
  • Alphanumeric, alpha, numeric, hex charsets
  • Configurable length
  • Static generator with regex validation
  • Default value support
  • Pattern validation
  • Script generator for external command execution
  • Configurable timeout
  • Error handling with detailed messages
  • Environment variable fallback for all generators

File Targets

  • Dotenv format (.env files) with merge support
  • JSON format with pretty printing
  • YAML format with clean output
  • TOML format (optional, requires tomli/tomli-w)
  • Merge mode for intelligent file updates
  • Overwrite mode for complete replacement
  • Parent directory creation automatic

Lockfile Management

  • SHA-256 hashing for secret value tracking
  • Timestamp tracking for creation and updates
  • Per-target hash tracking for drift detection
  • Change detection to determine if secrets changed
  • JSON persistence in human-readable format

Sync Engine

  • Secret generation with configured generators
  • Template support for multi-field secrets
  • One-time secret support to prevent regeneration
  • Change detection to only update when necessary
  • Multi-target storage in all configured targets
  • Detailed result reporting with statistics

CLI Commands

  • secretzero sync - Generate and sync secrets
  • --dry-run - Preview without changes
  • --force - Force regeneration
  • secretzero show <secret> - Display secret information

Testing

  • 52 new tests (82 total)
  • test_generators.py: 22 tests
  • test_targets.py: 12 tests
  • test_lockfile.py: 13 tests
  • CLI updates: 6 tests
  • 87% overall coverage

Changed

  • Updated .gitignore to exclude lockfiles and .env files
  • CLI now supports detailed progress reporting

[0.1.0] - 2026-02-16

Added - Phase 1: Foundation

Core Data Models

  • Pydantic models for type-safe configuration
  • Secretfile - Root configuration model
  • Secret - Secret definition with targets
  • Template - Multi-field secret templates
  • Provider - Provider configuration
  • TargetConfig - Target storage configuration
  • GeneratorConfig - Generator configuration
  • Metadata - Project metadata
  • Enums for type safety
  • AuthKind - Authentication types
  • GeneratorKind - Generator types
  • TargetKind - Target types
  • FileFormat - File formats

Configuration Loading

  • YAML parsing with validation
  • Variable interpolation using Jinja2
  • {{var.name}} - Direct variable reference
  • {{var.name or 'default'}} - Variable with fallback
  • Schema validation with clear error messages
  • Graceful error handling for interpolation failures

CLI Tool

  • secretzero create - Create new Secretfile from template
  • secretzero validate - Validate configuration
  • secretzero secret-types - List available types
  • secretzero test - Test provider connectivity
  • Rich console output with colors and tables
  • Interactive help system
  • Version information

Project Structure

  • Clean, modular architecture
  • Comprehensive documentation
  • README.md - Project overview
  • docs/extending.md - Extension guide
  • docs/use_cases.md - Use case documentation
  • project/ROADMAP.md - Project roadmap

Testing

  • 30 comprehensive tests
  • test_models.py: 14 tests
  • test_config.py: 7 tests
  • test_cli.py: 9 tests
  • 96% code coverage

Technical Stack

  • Pydantic for data modeling
  • Click for CLI framework
  • Rich for terminal output
  • Jinja2 for variable interpolation
  • pytest for testing

Version History

  • v0.7.0 (2026-02-16) - Phase 7: API Service
  • v0.6.0 (2026-02-16) - Phase 6: Advanced Features (Rotation, Policies, Drift)
  • v0.5.0 (2026-02-16) - Phase 5: Kubernetes & Container Support
  • v0.4.0 (2026-02-16) - Phase 4: CI/CD Integration (GitHub, GitLab, Jenkins)
  • v0.3.0 (2026-02-16) - Phase 3: Cloud Provider Integration (AWS, Azure, Vault)
  • v0.2.0 (2026-02-16) - Phase 2: Secret Generation & Local Storage
  • v0.1.0 (2026-02-16) - Phase 1: Foundation

Feature Summary by Version

Feature Version Status
Core Framework v0.1.0
CLI Tool v0.1.0
Secret Generators v0.2.0
Local File Storage v0.2.0
Lockfile System v0.2.0
AWS Integration v0.3.0
Azure Integration v0.3.0
Vault Integration v0.3.0
GitHub Actions v0.4.0
GitLab CI/CD v0.4.0
Jenkins v0.4.0
Kubernetes v0.5.0
External Secrets Operator v0.5.0
Secret Rotation v0.6.0
Policy Engine v0.6.0
Drift Detection v0.6.0
REST API v0.7.0
Audit Logging v0.7.0
OpenAPI Docs v0.7.0

Compliance

SecretZero meets the following compliance standards:

  • SOC2: Secret rotation policies, audit trails, access controls
  • ISO27001: Documented rotation periods, change tracking
  • Zero Security Vulnerabilities: CodeQL verified across all releases

Testing Metrics

Version Total Tests Coverage Status
v0.1.0 30 96%
v0.2.0 82 87%
v0.3.0 105 57%
v0.4.0 140 54%
v0.5.0 161 84% (provider)
v0.6.0 184 90%+ (new modules)
v0.7.0 207 100% (endpoints)

See Also