Skip to main content

Security Architecture

Mantle is designed with security-first principles. It never stores your secrets — it only protects them in transit through your build logs.

Zero Storage Architecture

Mantle doesn’t store secrets. It operates purely as a runtime protection layer: 
┌─────────────────────────────────────────────────────┐
│  Your Secrets (from .env, AWS SM, CI secrets)       │
│                    │                                │
│                    ▼                                │
│  ┌────────────────────────────────────┐            │
│  │  Secret Resolver                   │            │
│  │  (aggregates from all providers)   │            │
│  └────────────────────────────────────┘            │
│                    │                                │
│                    ▼                                │
│  ┌────────────────────────────────────┐            │
│  │  Redaction Engine                  │            │
│  │  (tracks values in-memory)         │            │
│  └────────────────────────────────────┘            │
│                    │                                │
│                    ▼                                │
│  ┌────────────────────────────────────┐            │
│  │  Protected Output                  │            │
│  │  [REDACTED] in logs                │            │
│  └────────────────────────────────────┘            │
└─────────────────────────────────────────────────────┘

Provider Security

Secrets are pulled from your existing providers and processed in-memory only:
ProviderSourceStorage
.env filesYour repositoryYou control
AWS Secrets ManagerAWS infrastructureAWS manages
Environment variablesCI/CD platformPlatform manages
Mantle never writes these secrets to disk. They exist only in process memory during execution.

Threat Model

Mantle protects against:
ThreatProtection
Log exposureReal-time streaming redaction
Split-chunk secretsLine-buffered detection
Pattern detectionRegex + exact value matching
CI log scrapingSecrets redacted before logging

Runtime Guarantees

  1. In-memory only — Secret values never written to disk by Mantle
  2. Process isolation — Secrets scoped to child process environment
  3. Stream interception — stdout/stderr monitored before output
  4. Line buffering — Handles secrets split across chunks

Best Practices

  1. Use your existing secrets infrastructure (CI secrets, AWS SM, etc.)
  2. Run Mantle in redact mode in production CI
  3. Use detect mode for auditing existing pipelines
  4. Generate compliance reports with --report flag