Secrets governance for secrets-as-code
Compliance that lives
in your repo.
The Clef CLI enforces secrets policy on every PR via a scaffolded workflow — without ever touching a
secret. Run
clef cloud init
for a compliance dashboard that reads live from your CI artifacts and stores nothing.
| Check | Result | Details |
|---|---|---|
| Secret scan | ✓ passed |
No plaintext detected in diff
3 encrypted files changed
|
| Policy lint | ✓ passed |
.clef/policy.yaml valid
version: 1 · scan + lint + drift enabled
|
| Rotation | ⚠ warning |
api-keys: 94d since last rotation
policy requires 90d · 1 namespace overdue
|
| Compliance | ✓ updated |
compliance artifact saved to Actions
12 secrets · 11 compliant · 1 overdue
|
custody
overhead
evidence
already using clef?
Run
clef cloud init
to install the GitHub App and open your compliance dashboard. Free for up to 3 repos.
how it works
Enforce. Monitor. Govern.
One CLI command scaffolds enforcement. Every PR gets checked by your own CI. The dashboard shows you what's compliant.
Run
clef init
in your repo. It creates a policy file and scaffolds a CI workflow that runs scan, lint, and compliance
checks on every PR. No infrastructure required.
Run
clef cloud init
to connect the dashboard. It reads compliance artifacts from your CI — nothing is stored on our servers.
Free for up to 3 repos.
Upgrade to see compliance state across every repo in your org. Track rotation deadlines, get alerted before they lapse, and export audit evidence to PDF. Your git history does the rest.
features
Why Clef?
Secrets governance that only exists because your secrets live in git.
Never decrypts your secrets and never stores your data. Reads SOPS metadata and PR diffs — nothing else. Nothing to breach because nothing is kept.
Every pull request is scanned for plaintext leaks, linting violations, and policy compliance. Bad changes get blocked before they land.
Every secret change is a commit with a PR, reviewer, and approval. Compliance evidence is in git — auditors can verify it independently.
Your workflow runs
clef policy report
on every merge. The artifact stays in GitHub Actions — the dashboard pulls it via the GitHub API on
demand. Nothing is stored on our side.
Know which secrets are overdue for rotation across every repo. Get alerts before compliance deadlines, not after.
GitHub today. GitLab and Bitbucket next. Your compliance story works everywhere your code lives. No platform lock-in.
pricing
Free to enforce. Pay to govern.
The CLI and CI enforcement are open source — no account required. The cloud dashboard adds visibility and governance for teams.
- Encrypt & decrypt with SOPS
- age, PGP, AWS KMS, GCP KMS, Azure KV
- Lint, drift, scan, policy commands
- Scaffolded CI workflow (scan + lint on every PR)
- Compliance dashboard for up to 3 repos in 1 account
- Up to 3 GitHub accounts (personal + orgs)
- Up to 10 repos covered across them
- Deadline alerts (Email, Slack, Teams)
- Cross-repo compliance aggregation
- Historical trending
- Up to 10 GitHub accounts
- Up to 50 repos covered across them
- SOC2 / PCI / HIPAA framework mapping
- PDF export for auditors
- Org-wide rollups & cross-org governance
- Unlimited accounts and repos
- GHES / self-hosted bot
- SSO (SAML / OIDC)
- Custom compliance frameworks
- Dedicated support & SLA
get started
Ready to automate secrets compliance?
One CLI command scaffolds enforcement. Your next PR gets compliance checks automatically. No infrastructure, no custody, no ongoing ops.
Install ClefAlready set up? Open the dashboard →