README

Introduction

Infisical is the open source security infrastructure platform that teams use for secrets, certificates, and privileged access management.

We're on a mission to make security tooling more accessible to everyone, not just security teams, and that means redesigning the entire developer experience from ground up.

Features

Secrets Management:

Centralize your application secrets and configuration across every environment, with versioning, rotation, and leak prevention built in.

• Dashboard: Manage secrets across projects and environments (e.g. development, production, etc.) through a user-friendly interface.
• Secret Syncs: Sync secrets to platforms like GitHub, Vercel, AWS, and use tools like Terraform, Ansible, and more.
• Secret versioning and Point-in-Time Recovery: Keep track of every secret and project state; roll back when needed.
• Secret Rotation: Rotate secrets at regular intervals for services like PostgreSQL, MySQL, AWS IAM, and more.
• Dynamic Secrets: Generate ephemeral secrets on-demand for services like PostgreSQL, MySQL, RabbitMQ, and more.
• Secret Scanning and Leak Prevention: Prevent secrets from leaking to git.
• Infisical Kubernetes Operator: Deliver secrets to your Kubernetes workloads and automatically reload deployments.
• Infisical Agent: Inject secrets into applications without modifying any code logic.
• Honey Tokens: Plant decoy credentials alongside your real secrets that act as tripwires, instantly alerting your team the moment an attacker tries to use them.
• Agent Vault: Broker AI agent access to external APIs so agents never hold real credentials. Outbound requests route through a proxy that injects secrets before forwarding, eliminating credential exfiltration risk from prompt injection.

Certificate Management

Run a complete private PKI: issue, manage, and monitor X.509 certificates from a centralized platform.

• Internal CA: Create and manage a private CA hierarchy directly within Infisical.
• External CA: Integrate with third-party certificate authorities such as Let’s Encrypt, DigiCert, Microsoft AD CS, and more to leverage existing PKI infrastructure or issue publicly trusted certificates.
• Certificate Lifecycle Management: Create certificate profiles and policies to control how certificates are issued, including enrollment methods such as API, ACME, or EST. Manage the full lifecycle from issuance to renewal and revocation with CRL and inventory tracking.
• Certificate Syncs: Sync certificates to external platforms like AWS Certificate Manager and Azure Key Vault.
• Alerting: Configure alerting for expiring CA and end-entity certificates.
• Code Signing: Sign software artifacts like containers, installers, and packages with managed code-signing certificates, central approval, and a full audit trail.

Infisical Key Management System (KMS):

Centrally manage cryptographic keys and use them to encrypt and decrypt data across your projects.

• Cryptographic Keys: Centrally manage keys across projects through a user-friendly interface or via the API.
• Encrypt and Decrypt Data: Use symmetric keys to encrypt and decrypt data.

Privileged Access Management (PAM)

Manage and secure access to critical infrastructure like databases and servers with policy-based controls, approvals, and full session visibility.

• Privileged Access Management: Decouple user identity from infrastructure credentials. Users authenticate with their SSO identity while Infisical brokers just-in-time access to resources like PostgreSQL, SSH servers, Kubernetes, Active Directory, and more.
• Session Recording: Capture and replay privileged sessions for audit and compliance, with AI session insights to surface risky activity.
• Credential Rotation: Automatically rotate the underlying credentials for managed resources so static secrets never leave Infisical.
• Web Access: Connect to SSH, PostgreSQL, Redis, and Windows RDP resources directly from the browser.

General Platform:

Capabilities that span every Infisical product.

• Authentication Methods: Authenticate machine identities with Infisical using a cloud-native or platform agnostic authentication method (Kubernetes Auth, GCP Auth, Azure Auth, AWS Auth, OIDC Auth, Universal Auth).
• Access Controls: Define advanced authorization controls for users and machine identities with RBAC, additional privileges, temporary access, access requests, approval workflows, and more.
• Audit logs: Track every action taken on the platform, with optional audit log streaming to external logging providers.
• Gateway: Securely reach private network resources from Infisical without opening inbound connections to your environment.
• Self-hosting: Deploy Infisical on-prem or cloud with ease; keep data on your own infrastructure.
• Infisical SDK: Interact with Infisical via client SDKs (Node, Python, Go, Ruby, Java, .NET)
• Infisical CLI: Interact with Infisical via CLI; useful for injecting secrets into local development and CI/CD pipelines.
• Infisical API: Interact with Infisical via API.

Getting started

Check out the Quickstart Guides

Run Infisical locally

To set up and run Infisical locally, make sure you have Git and Docker installed on your system.

Linux/macOS:

git clone https://github.com/Infisical/infisical && cd "$(basename $_ .git)" && cp .env.example .env && docker compose -f docker-compose.prod.yml up

Windows (Command Prompt):

git clone https://github.com/Infisical/infisical && cd infisical && copy .env.example .env && docker compose -f docker-compose.prod.yml up

Once running, create an account at http://localhost:80.

Contributing? Check out our guide to see how to get started.

Scan and prevent secret leaks

On top of managing secrets with Infisical, you can also scan for over 140+ secret types in your files, directories and git repositories.

To scan your full git history, run:

infisical scan --verbose

Install pre commit hook to scan each commit before you push to your repository

infisical scan install --pre-commit-hook

Learn about Infisical's code scanning feature here

Open-source vs. paid

This repo available under the MIT expat license, with the exception of the ee directory which will contain premium enterprise features requiring a Infisical license.

If you are interested in managed Infisical Cloud of self-hosted Enterprise Offering, take a look at our website or book a meeting with us.

Security

Please do not file GitHub issues or post on our public forum for security vulnerabilities, as they are public!

Infisical takes security issues very seriously. If you have any concerns about Infisical or believe you have uncovered a vulnerability, please get in touch via the e-mail address [email protected]. In the message, try to provide a description of the issue and ideally a way of reproducing it. The security team will get back to you as soon as possible.

Note that this security address should be used only for undisclosed vulnerabilities. Please report any security problems to us before disclosing it publicly.

Contributing

Whether it's big or small, we love contributions. Check out our guide to see how to get started.

Not sure where to get started? You can:

• Join our <a href="https://infisical.com/slack">Slack</a>, and ask us any questions there.

We are hiring!

If you're reading this, there is a strong chance you like the products we created.

You might also make a great addition to our team. We're growing fast and would love for you to join us.