• Stars
    star
    143
  • Rank 257,007 (Top 6 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created over 3 years ago
  • Updated 5 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Enhanced env command to set environment variable by various method

zenv CI Security Scan Vuln scan

zenv is enhanced env command to manage environment variables in CLI.

  • Load environment variable from .env file by
    • Static values
    • Reading file content
    • Executing command
  • Securely save, generate and get secret values with Keychain, inspired by envchain (supported only macOS)
  • Replace command line argument with loaded environment variable

Install

go install github.com/m-mizutani/zenv@latest

Basic Usage

Set by CLI argument

Can set environment variable in same manner with env command

$ zenv POSTGRES_DB=your_local_dev_db psql

Load from .env file

Automatically load .env file and

$ cat .env
POSTGRES_DB=your_local_db
POSTGRES_USER=test_user
PGDATA=/var/lib/db
$ zenv psql -h localhost -p 15432
# connecting to your_local_db on localhost:15432 as test_user

Save and load secret values

# save a secret value
$ zenv secret write @aws-account AWS_SECRET_ACCESS_KEY
Value: # no echo
$ zenv secret write @aws-account AWS_ACCESS_KEY_ID
Value: # no echo

# load a secret value and execute command "aws s3 ls"
$ zenv @aws-account aws s3 ls
2020-06-19 03:53:13 my-bucket1
2020-04-18 06:45:44 my-bucket2
...

secret write command format is zenv secret write <Namespace> <Key> to save a secret value. In above case, @aws-account is Namespace and AWS_SECRET_ACCESS_KEY & AWS_ACCESS_KEY_ID are Key (Environment variable name). Namespace must have @ prefix.

zenv <Namespace> <Command> executes <Command> with loaded secret value(s) from <Namespace> as environment variables. If multiple environment variables are saved in the <Namespace>, all variables are loaded.

Mixing CLI, .env and secret

All of CLI argument, loading .env and secret can be used in parallel. An example is following.

$ zenv secret write @aws-account AWS_SECRET_ACCESS_KEY
Value: # no echo
$ cat .env
AWS_ACCESS_KEY_ID=abcdefghijklmn
$ zenv @aws-account AWS_REGION=jp-northeast-1 aws s3 ls
# access to S3 with AWS_SECRET_ACCESS_KEY, AWS_SECRET_ACCESS_KEY and AWS_REGION

Also, -e option specifies a file used as .env.

List loaded variables

You can see loaded environment variable by zenv with zenv list <...> command.

$ zenv list @aws-account AWS_REGION=jp-northeast-1
AWS_REGION=jp-northeast-1
AWS_ACCESS_KEY_ID=abcdefghijklmn
AWS_SECRET_ACCESS_KEY=******************************** (hidden)

You can specify arguments to specify loading environment in same manner with executing command. Of curse secret values loaded from Keychain will be masked.

Advanced Usage

Generate random secure value

secret generate subcommand can generate random value like token and save to KeyChain.

$ zenv secret generate @my-project MYSQL_PASS
$ zenv secret generate @my-project -n 8 TMP_TOKEN # set length to 8
$ zenv list @my-project
MYSQL_PASS=******************************** (hidden)
TMP_TOKEN=******** (hidden)

List namespaces

secret list subcommand shows list of namespaces.

$ zenv secret list
@aws
@local-db
@staging-db

Put namespace into .env file

You can also can put Namespace for secret values into .env file. Then, zenv always loads secret values without Namespace argument.

$ zenv secret write @aws AWS_SECRET_ACCESS_KEY
Value # <- input

$ cat .env
@aws
AWS_REGION=jp-northeast-1
AWS_ACCESS_KEY_ID=abcdefghijklmn

$ zenv list
AWS_REGION=jp-northeast-1
AWS_ACCESS_KEY_ID=abcdefghijklmn
AWS_SECRET_ACCESS_KEY=******************************** (hidden)

Replace value in environment variable with another one

zenv replaces words having % prefix with existing another environment variable.

$ cat .env
MYTOOL_DB_PASSWD=abc123
PGPASSWORD=%MYTOOL_DB_PASSWD
$ zenv list
MYTOOL_DB_PASSWD=abc123
PGPASSWORD=abc123

Replace value in arguments with loaded environment variable

zenv replaces words having % prefix with loaded environment variable.

$ cat .env
TOKEN=abc123
$ zenv curl -v -H "Authorization: bearer %TOKEN" http://localhost:1234
(snip)
> GET /api/v1/alert HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.64.1
> Accept: */*
> Authorization: bearer abc123
(snip)

Loading file content to environment variable

Sometime, we need to load large content into environment variable. For example, Google OAuth2 credential file is slightly large to write in .env file and complicated. zenv can load file content into environment variable with & prefix.

$ cat .env
GOOGLE_OAUTH_DATA=&tmp/client_secret_00000-abcdefg.apps.googleusercontent.com.json
$ zenv list
GOOGLE_OAUTH_DATA={"web":{"client_id":"00000...(snip)..."}}
$ zenv ./some-oauth-server

Execute command in .env file

zenv recognizes environment value as command by surrounding with ` backquote (backtick). The feature is useful to set short live token that provided CLI command. zenv set standard output as value of environment variable.

$ cat .env
GOOGLE_TOKEN=`gcloud auth print-identity-token`
$ zenv list
GOOGLE_TOKEN=eyJhbGciOiJS...(snip)
$ zenv ./some-app-requires-token

Backup and restore secrets

For example, when migrating PC, we need to transfer every data including secrets. So backup and restore features are required. zenv provides export and import command as following.

$ zenv secret write @aws AWS_SECRET_ACCESS_KEY
Value: # <- input secret
$ zenv secret export -o backup.json
input passphrase: # <- input passphrase
exported secrets to backup.json
$ cat backup.json
{
  "CreatedAt": "2022-03-27T13:37:06.577827+09:00",
  "Encrypted": "wr/s6Z5T4diP6Ihu1318tL2tRA2Ch2LImAB1QEJi0...(snip)..."
}

secret export command dumps encrypted all secrets to JSON file. You can filter dumped namespace by -n option.

After that, move backup.json to new machine and import it.

$ zenv secret import backup.json
input passphrase: # <- input passphrase
$ zenv list @aws
AWS_SECRET_ACCESS_KEY=******************************** (hidden)

Passphrase must be same when exporting and importing.

License

Apache License 2.0

More Repositories

1

masq

A utility to redact sensitive data for slog in Go
Go
103
star
2

goast

Go AST based static analysis tool with Rego
Go
59
star
3

octovy

Trivy based vulnerability management service
Go
55
star
4

zlog

Secure logger in Go to avoid output sensitive data in log
Go
36
star
5

goerr

More contextual error handling in Go
Go
34
star
6

packetmachine

Fast network packet decoding library in C++
C++
27
star
7

libfluent

Library to send log as fluentd forwarding message
C++
24
star
8

golambda

A suite of Go utilities for AWS Lambda functions to ease adopting best practices.
Go
22
star
9

clog

Customizable Go slog Handler
Go
21
star
10

vulnivore

GitHub issue manager from vulnerability scan results for private repositories
Go
21
star
11

ghnotify

General GitHub event notification tool to Slack with Open Policy Agent and Rego
Go
21
star
12

alertchain

Simple SOAR (Security Orchestration, Automation and Response) framework integrated with OPA/Rego
Go
20
star
13

dns-gazer

DNS passive monitoring tool
C++
16
star
14

lurker

Scalable security network sensor as low interaction honeypot
Go
16
star
15

AlertResponder

Automatic security alert response framework by AWS Serverless Application Model
Go
14
star
16

lurker-cpp

Lurker monitors an incoming network TCP SYN packet to invalid port number, and will respond a TCP SYN-ACK packet to collect packet payload from attacker
C++
12
star
17

ghaudit

CLI audit tool for GitHub organization with OPA/Rego
Go
12
star
18

web-app-go

Template of Web application in Go (gin-gonic) + Vue + webpack
Go
10
star
19

docker-based-home-router

Python
10
star
20

falconstream

Event forwarder for CrowdStrike Falcon
Go
10
star
21

dnshive

DnsHive gather name resolution protocol traffic, such as DNS forward lookup query/result and show IP traffic based on looked up names
C++
9
star
22

altenv

Powerful CLI Environment Variable Manager in Go
Go
8
star
23

gofalcon

CrowdStrike Falcon API client in Go
Go
8
star
24

mdstore

Blacklisted Domain Name Merging & Management Tool
JavaScript
8
star
25

practical-security-monitoring

ε…₯ι–€γ‚»γ‚­γƒ₯γƒͺティ監視
8
star
26

vxcap

Capture and dump VXLAN encapsulated traffic
Go
7
star
27

gsuite-log-exporter

Go
7
star
28

urlscan-go

urlscan.io client library in Go
Go
7
star
29

cpp-template

template of a new C++ project
C++
6
star
30

boilerplate-cdk-react-app

A boilerplate of CDK and React simple application
TypeScript
6
star
31

wowclp

World of Warcraft Combat Log Parser
Python
6
star
32

spout

Lightweight structured log viewer for cloud services
Go
5
star
33

logptn

Generate Log Format from real log data
Go
5
star
34

gt

Generics based Test library in Go
Go
5
star
35

fbdump

Dump a massive amount of Firebase Auth user records
Go
5
star
36

aws-honeypot-templates

CloudFormation templates of low interaction honeypot on AWS
Python
5
star
37

triview

CLI tool to view trivy DB
Go
5
star
38

slips

Serverless Log Iterative Processor from AWS S3
Python
5
star
39

aws-securityhub-exporter

CloudFormation stack to export findings of AWS Security Hub to S3 Bucket
Go
4
star
40

devourer-cpp

Devourer is live packet capture and statistics tool for various protocols.
C++
4
star
41

opac

Rego policy inquiry library with OPA
Go
4
star
42

gots

Simple and easy, but tedious function set in Go.
Go
3
star
43

argparse-cpp

ArgumentParser in C++ inspired by Python
C++
3
star
44

regolint

Custom Rego linter with policy written by Rego
Go
3
star
45

nodejs-addon-template

minimum set of node.js addon
C++
3
star
46

aws-sns-to-kinesis

Message Forwarding Serverless Application from Amazon Simple Notification Service (SNS) to Kinesis Data Stream
Go
3
star
47

opaq

Generic inquiry tool to OPA server for CI process, such as GitHub Actions
Go
3
star
48

badman

BADMAN: Blacklisted Address and Domain name MANager
Go
2
star
49

gurl

Go URL Request Library
Go
2
star
50

aws-budget-alert-slack

Slack notification tool for AWS budget alert
Go
2
star
51

aws-vpcflowlogs-parquet

AWS Lambda based VPC Flow Logs converter to Parquet format
Go
2
star
52

catbox

Vulnerability scan and management serverless system for AWS ECR images with Trivy.
2
star
53

rlogs

A framework to load remote log files in Go
Go
2
star
54

dnstrack

CDK Construct to monitor changes DNS record of your domain name continuously to detect DNS hijack
TypeScript
2
star
55

flowlogconf

Enable AWS flow logs for your all vpc
Go
2
star
56

logstruct

Automatic log structure analysis tool in Go
Go
2
star
57

m-mizutani

2
star
58

go-prj-template

Go project template for ownself
Go
1
star
59

remo2cw

CDK stack to put metrics of Nature Remo devices to Amazon CloudWatch Metrics
Go
1
star
60

deepalert-minerva

Go
1
star
61

aws-alarm-notify

Go
1
star
62

ssh-log-analisys

Tool set for syslog based SSH log analysis
Python
1
star
63

deepalert-crowdstrike-falcon

Go
1
star
64

seccamp-2023-b7

Open Policy Agent
1
star
65

dlqslack

Send Dead Letter Queue of AWS to Slack in Go
Go
1
star
66

goast-example

testing repository
Open Policy Agent
1
star
67

msgpack-file-sample

C++
1
star
68

sns-to-slack

Go
1
star
69

goast-action

Runs goast as GitHub action for customizable static analysis of Go code
Dockerfile
1
star
70

seccamp-2024-b3

HCL
1
star
71

rego-sandbox

Open Policy Agent
1
star
72

bqs

BigQuery Schema utility in Go
Go
1
star
73

anomlog

General text log anomaly detection engine
Go
1
star
74

nounify

The unified customizable notification service for all HTTP requests with Rego
Go
1
star