search

Infisical / infisical

♾ Infisical is the open-source secret management platform: Sync secrets across your team/infrastructure, prevent secret leaks, and manage internal PKI
https://infisical.com
Other
13.16k stars 698 forks source link

Identify unused secrets #482

Open marnixhoh opened 1 year ago

marnixhoh commented 1 year ago

Feature description

I would love to be able to get rid of unused secrets, when they are no longer actually used. Given that we have multiple environments, to which secrets are added and removed at different times, it sometimes happens, that we forget to remove one.

One solution could be to show the lastTimeUsed of a secret. However, I do realize that this must be difficult to implement, as all the Infisical client does is inject secrets and nothing more.

Perhaps it would be easier to implement as part of an IDE integration. The integration could scan the codebase for all used secrets and compare these to the ones in Infisical?

I hope this is helpful! And if you have any questions, feel free to reach out anytime :D

Why would it be useful?

On large codebases with multiple environments, it is easy for unused secrets to get left behind.

dangtony98 commented 1 year ago

Hi @marnixhoh!

I think this is a great feature. Currently, however, since secrets are end-to-end encrypted, when they get used, everything is loaded in at once so we can't assign a lastTimeUsed at the individual secret-level; we do know when a secret was last updated in the dashboard though.

Ultimately, this comes down to an update we're thinking about at the moment that involves the server knowing the plaintext values of the environment variable keys (values would remain end-to-end encrypted); this would be up to users to opt in/out.

We're still discussing this internally but I'll keep you posted!

marnixhoh commented 1 year ago

Awesome! Thanks for your quick reply.

Yeah that's exactly what I figured too. Hence, I thought maybe an IDE integration would be a neat way to offer this feature. The IDE integration can scan the codebase for all secrets used and then flag any secrets that are not used.

Thanks for the awesome product :)

dangtony98 commented 1 year ago

Hmm @marnixhoh I've talked to the team already and we're definitely going to make it possible to query secrets by the value of their keys which will enable lastTimeUsed.

We'll add the ability for users to be able to opt in for exposing just the value of their keys (by default it will be E2EE). That said, this will likely be available in a few weeks since it's quite a big decision / structural change.