Skip to main content

Secret Providers

Shield is provider-agnostic. It doesn’t force you to migrate your secrets to a specific format or platform. Instead, it aggregates secrets from the places they already live.

The Resolver Pattern

When you run dotset run, Shield uses a Secret Resolver to collect data from a list of configured providers.

Supported Providers

1. Dotenv (dotenv)

Automatically detects .env, .env.local, .env.development, and .env.production. This enables zero-migration setup for most web projects.

2. AWS Secrets Manager (aws-sm)

Pulls secrets directly from AWS using the AWS SDK. This is ideal for production environments where secrets are managed at the infrastructure layer.

3. Environment (environment)

Capture existing shell environment variables. By default, it looks for variables prefixed with SHIELD_, but this is configurable.

4. Native Storage (dotset)

Dotset’s native encrypted storage. Secrets are stored in .dotset/manifest.enc and encrypted with a local AES-256 key.

Provider Priority

Providers are evaluated in the order they are defined. If multiple providers define the same secret key, the last one wins.
  • Auto Mode: By default (--providers auto), Shield evaluates providers in this order: dotenv -> environment -> dotset.
  • Manual Mode: You can override this using the --providers flag.
# Prioritize AWS secrets over local .env files
dotset run --providers dotenv,aws-sm -- npm start

Streaming Redaction Engine

Regardless of the source, once secrets are resolved, they are automatically tracked by Shield’s Streaming Redaction Engine. Unlike simple regex scanners, this engine uses a line-buffered approach. This ensures that even if a secret is split across two network packets (chunks) in your CI output, Shield will pause, buffer, and redact correctly before the data is flushed to your logs.