How do you manage sensitive keys when using foreign developers?

This page summarizes the projects mentioned and recommended in the original post on

Our great sponsors
  • SonarLint - Deliver Cleaner and Safer Code - Right in Your IDE of Choice!
  • Scout APM - Less time debugging, more time building
  • JetBrains - Developer Ecosystem Survey 2022
  • Spruce

    A BOSH template merge tool (by geofffranks)

    The CI/CD has a service account with permissions to all envs, and during deployment it renders the config files and inserts the "real" values by pulling it from Vault/KMS. Something very simple is Spruce, which is actually a powerful general templating tool but I've seen it only used for vault secrets so far.

  • Vault

    A tool for secrets management, encryption as a service, and privileged access management

    There's a central key management service. Hashicorp Vault is pretty much the de-facto standard and most other tools integrate nicely with this. The only exception I've seen if companies are fully invested into a single cloud provider, in which case their cloud native alternative is used (AWS KMS, GCP KMS, Azure Keyvault). Even then, sometimes Vault is used as a frontend with the Cloud KMS as backing store.

  • SonarLint

    Deliver Cleaner and Safer Code - Right in Your IDE of Choice!. SonarLint is a free and open source IDE extension that identifies and catches bugs and vulnerabilities as you code, directly in the IDE. Install from your favorite IDE marketplace today.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts