GitHub Integration
DotVault integrates seamlessly with GitHub to provide automated secret management for your repositories.
Overview
The GitHub integration enables:
- Sync secrets to GitHub repository secrets
- Pull requests with environment variable updates
- Actions workflows for automated deployments
- Repository scanning for exposed secrets
- Deployment protection with required reviewers
Setup
1. Install the GitHub App
- Go to Project Settings → Integrations → GitHub
- Click Connect GitHub
- Select repositories to connect
- Choose permission level:
- Read-only: View repository secrets
- Read/Write: Sync secrets to GitHub
- Admin: Full access including Actions
2. Configure Sync
After installation, configure which environments sync to which repositories:
# Via CLI
dotvault github sync my-project \
--env production \
--repo owner/repo \
--branch main \
--auto-sync false
Or via web interface:
- Go to Integrations → GitHub → Sync Rules
- Click Add Sync Rule
- Select:
- Source environment (e.g.,
production) - Target repository
- Target branch
- Sync mode (manual or automatic)
- Source environment (e.g.,
Sync Modes
Manual Sync
Requires explicit approval before syncing:
- Make changes in DotVault
- Go to GitHub → Pending Syncs
- Review the diff
- Click Sync to GitHub
Automatic Sync
Syncs automatically on environment changes:
- Immediate sync for non-destructive changes
- Pull request for destructive changes (deletions)
- Configurable delay for batching changes
Pull Request Mode
Creates a PR for review before applying:
- Changes made in DotVault
- PR automatically created in GitHub
- Team reviews and approves
- Merging applies changes to repository secrets
GitHub Actions Integration
Workflow Example
name: Deploy
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
# Option 1: Use GitHub repository secrets (synced from DotVault)
- name: Deploy
run: npm run deploy
env:
DATABASE_URL: ${{ secrets.DATABASE_URL }}
API_KEY: ${{ secrets.API_KEY }}
# Option 2: Fetch directly from DotVault
- name: Fetch from DotVault
uses: dotvault/action@v1
with:
api-key: ${{ secrets.DOTVAULT_API_KEY }}
project: my-project
env: production
DotVault GitHub Action
- name: Fetch secrets from DotVault
uses: dotvault/action@v1
with:
# Required
api-key: ${{ secrets.DOTVAULT_API_KEY }}
project: my-project
env: production
# Optional
output: .env # Output file (default: .env)
format: env # Output format: env, json, yaml
mask: true # Mask secrets in logs
export: true # Export to environment
Secret Scanning
Repository Scanning
Scan your repositories for exposed secrets:
# Via CLI
dotvault github scan owner/repo
# Via API
POST /api/github/scan
{
"repository": "owner/repo",
"branch": "main"
}
Findings
Detected secrets are:
- Reported in DotVault dashboard
- Alerted via Slack/Email
- Rotated automatically (if configured)
- Documented in audit logs
Supported Secret Types
- API keys (AWS, Stripe, OpenAI, etc.)
- Database connection strings
- JWT tokens
- Private keys
- Passwords
- Custom patterns
Deployment Protection
Required Reviewers
Configure required reviewers for production deployments:
- Go to GitHub → Deployment Protection
- Enable Required Reviewers
- Select reviewers from team members
- Set minimum number of approvals
Environment Protection Rules
# .github/workflows/deploy.yml
jobs:
deploy:
environment:
name: production
url: ${{ steps.deploy.outputs.url }}
steps:
- uses: actions/checkout@v4
- name: Verify DotVault sync
uses: dotvault/verify-action@v1
with:
project: my-project
env: production
- name: Deploy
run: npm run deploy
Branch Protection
Sync on Protected Branches
For protected branches, DotVault:
- Creates a PR with secret changes
- Requires status checks to pass
- Requires code review approval
- Applies changes only after merge
Bypass Protection
Emergency access can bypass protection:
dotvault github sync my-project \
--env production \
--repo owner/repo \
--emergency \
--reason "Critical security patch"
API Reference
Install GitHub App
POST /api/projects/{projectId}/github/install
{
"installationId": "12345678",
"repositories": ["owner/repo1", "owner/repo2"],
"permissions": "read-write"
}
Configure Sync
POST /api/projects/{projectId}/github/sync-config
{
"envLabel": "production",
"repository": "owner/repo",
"branch": "main",
"mode": "manual",
"secretPrefix": "PROD_"
}
Trigger Sync
POST /api/projects/{projectId}/github/sync
{
"envLabel": "production",
"repository": "owner/repo",
"branch": "main"
}
Get Sync Status
GET /api/projects/{projectId}/github/sync-status
Response:
{
"data": {
"syncs": [
{
"id": "sync_xxx",
"envLabel": "production",
"repository": "owner/repo",
"branch": "main",
"status": "completed",
"lastSyncedAt": "2024-01-15T10:30:00Z",
"secretsCount": 12
}
]
}
}
List Repository Secrets
GET /api/github/repos/{owner}/{repo}/secrets
Response:
{
"data": {
"secrets": [
{
"name": "DATABASE_URL",
"createdAt": "2024-01-15T10:30:00Z",
"updatedAt": "2024-01-15T10:30:00Z"
}
],
"totalCount": 12
}
}
CLI Commands
# Connect GitHub
dotvault github connect my-project
# Configure sync
dotvault github sync-config my-project \
--env production \
--repo owner/repo \
--branch main \
--mode manual
# Trigger sync
dotvault github sync my-project --env production --repo owner/repo
# List sync configurations
dotvault github sync-list my-project
# Remove sync configuration
dotvault github sync-remove my-project --env production --repo owner/repo
# Scan repository
dotvault github scan owner/repo --branch main
# Generate Actions workflow
dotvault github workflow my-project --env production --file .github/workflows/deploy.yml
Best Practices
1. Use Separate Environments
Create separate GitHub environments for:
- Development
- Staging
- Production
Each with different secret sets from DotVault.
2. Enable Required Reviewers
Always require review for production:
- Minimum 1 approval for staging
- Minimum 2 approvals for production
- Include security team for sensitive changes
3. Regular Scanning
Schedule regular secret scanning:
# .github/workflows/scan.yml
name: Secret Scan
on:
schedule:
- cron: "0 0 * * 0" # Weekly
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: dotvault/scan-action@v1
with:
api-key: ${{ secrets.DOTVAULT_API_KEY }}
project: my-project
4. Audit Sync Activity
Review sync logs regularly:
dotvault audit my-project --action github_sync
5. Use PR Mode for Production
Always use pull request mode for production changes:
- Provides audit trail
- Enables code review
- Prevents accidental changes
- Integrates with branch protection
Troubleshooting
Sync Failed
- Check GitHub App permissions
- Verify repository access
- Check branch protection rules
- Review audit logs for errors
Secrets Not Updating
- Check sync configuration
- Verify environment label matches
- Check for typos in secret names
- Review GitHub Actions logs
Authentication Issues
- Re-install GitHub App
- Check token expiration
- Verify organization permissions
- Contact support if persistent
Security
Permissions
The GitHub App requests minimal permissions:
- Repository secrets: Read/Write
- Actions: Read (for workflow triggers)
- Contents: Read (for PR creation)
- Pull requests: Write (for sync PRs)
Data Flow
- Secrets encrypted in transit (TLS 1.3)
- Never stored on GitHub servers (only metadata)
- Audit log of all sync operations
- Revocable access at any time
Access Control
- Only project owners can configure sync
- Only editors can trigger manual sync
- All syncs logged in audit trail
- Failed syncs generate alerts
Pricing
GitHub integration features by plan:
| Feature | Free | Pro | Enterprise |
|---|---|---|---|
| Manual sync | ✓ | ✓ | ✓ |
| Automatic sync | - | ✓ | ✓ |
| PR mode | - | ✓ | ✓ |
| Secret scanning | - | 10 repos | Unlimited |
| Required reviewers | - | ✓ | ✓ |
| Custom workflows | - | - | ✓ |
Support
For GitHub integration support:
- Documentation: https://docs.dotvault.io/github
- Community: https://community.dotvault.io
- Support: support@dotvault.io
- Status: https://status.dotvault.io