Compliance that lives in your repo.
The Clef CLI enforces secrets policy on every PR via a scaffolded workflow — without ever touching a secret.
Run
clef cloud init
for a compliance dashboard that reads live from your CI artifacts and stores nothing.
Governance for secrets-as-code
Never decrypts your secrets and never stores your data. Reads SOPS metadata and PR diffs — nothing else. Nothing to breach because nothing is kept.
Scans every pull request for plaintext leaks, linting violations, and policy compliance. Blocks before bad changes land.
Every secret change is a commit with a PR, reviewer, and approval. The compliance evidence writes itself — auditors can verify it independently.
Writes
.clef/compliance.json
on every merge — tracking rotation, policy adherence, and change provenance directly in your repo.
Login, select repos, see org-wide compliance posture. Nothing stored by Clef. Export to PDF for your next audit.
GitHub today. GitLab and Bitbucket coming. Your compliance story works everywhere your code lives.