Seclife
CLI tool to audit and assess the lifecycle and risk of secrets across AWS and GitHub
Install / Use
/learn @marek-kar/SeclifeREADME
seclife – Secrets Lifecycle Auditor
seclife inventories, analyzes, and reports on secrets across AWS and GitHub. It operates on metadata only — secret values are never read.
Installation
poetry install # or: pip install .
Authentication
# AWS – standard boto3 chain, or:
export AWS_PROFILE=my-profile
# GitHub
export GITHUB_TOKEN=ghp_...
AWS needs read-only metadata permissions — see docs/aws_permissions.md.
GitHub token needs repo + read:org scopes — see docs/github_permissions.md.
Usage
# Scan
seclife scan aws --regions eu-west-1 --out inventory.json
seclife scan github --org acme --out inventory.json
# Analyze
seclife analyze --in inventory.json --out findings.json
# Report (exit 1 if findings above threshold)
seclife report --in findings.json --format md --threshold high
# All-in-one
seclife doctor aws --regions eu-west-1 --threshold high --out report.md
seclife doctor github --org acme --threshold high --out report.md
Exit codes: 0 clean · 1 findings above threshold · 2 runtime error.
Example Output
## Summary
| Severity | Count |
|----------|-------|
| Critical | 0 |
| High | 2 |
| Medium | 1 |
| Low | 1 |
| **Total**| **4** |
### 1. AWS secret with rotation disabled and older than threshold [High]
**Rule:** `AWS_ROTATION_DISABLED_OLD` **Secret:** `prod/db-password` **Confidence:** 89/100
Secret is 396 days old with rotation disabled (threshold: 90 days)
See examples/sample_output.md for a full end-to-end example.
Built-in Rules
| Rule | Severity |
|------|----------|
| AWS_ROTATION_DISABLED_OLD | High |
| GH_ORG_SECRET_VISIBLE_ALL | High |
| MISSING_TAGS | Medium |
| ZOMBIE_CANDIDATE | Low |
Development
poetry install
poetry run black --check .
poetry run isort --check-only .
poetry run flake8 seclife tests
poetry run mypy seclife
poetry run pytest -v
License
MIT
