mpx-secrets-audit
v1.2.0
Published
Secrets expiration tracking and audit CLI. Monitor API keys, tokens, and credentials. AI-native with JSON output and MCP server.
Maintainers
mesaplexReadme
mpx-secrets-audit 🔐
Track, audit, and get warned before your API keys and secrets expire.
Think "Fitbit for API keys" — it doesn't store secrets (that's Vault/Doppler), it tracks their age, expiry, and rotation status.
Part of the Mesaplex developer toolchain.
Features
- Secret lifecycle tracking — Track age, expiry, and rotation status
- Status dashboard — Color-coded health overview of all secrets
- Rotation policies — Get warned when secrets are due for rotation
- CI/CD ready — Exit codes, JSON output, no GUI dependency
- Multiple report formats — Text, JSON, Markdown, PDF (JSON/Markdown Pro)
- Cloud scanners — Auto-detect AWS IAM keys and GitHub PATs (Pro)
- MCP server — Integrates with any MCP-compatible AI agent
- Self-documenting —
--schemareturns machine-readable tool description - No secrets stored — Only metadata (names, dates, providers), never actual values
Installation
npm install -g mpx-secrets-auditOr run directly with npx:
npx mpx-secrets-audit initRequirements: Node.js 18+ · No native dependencies · macOS, Linux, Windows
Quick Start
# 1. Initialize config file
mpx-secrets-audit init
# 2. Add a secret to track
mpx-secrets-audit add stripe-api-key \
--provider stripe \
--type api_key \
--created 2025-06-15 \
--rotation 90
# 3. Check status
mpx-secrets-audit check
# 4. List all secrets
mpx-secrets-audit list
# 5. Generate report
mpx-secrets-audit reportUsage
Initialize
mpx-secrets-audit init # Local config (.secrets-audit.json)
mpx-secrets-audit init --global # Global config (~/.config/mpx-secrets-audit/)Add a Secret
# With flags
mpx-secrets-audit add github-token \
--provider github \
--type personal_access_token \
--created 2025-01-15 \
--expires 2026-01-15 \
--rotation 90 \
--notes "Production token with repo access"
# Interactive mode
mpx-secrets-audit add my-api-key --interactiveOptions: --provider, --type, --created, --expires, --rotation (days), --notes, --interactive
Check Status
mpx-secrets-audit check # Standard check
mpx-secrets-audit check --ci # CI mode (exit codes)
mpx-secrets-audit check --ci --fail-on warning # Fail on warningsList Secrets
mpx-secrets-audit list # List all
mpx-secrets-audit list --status warning # Filter by status
mpx-secrets-audit list --status criticalRotate & Remove
mpx-secrets-audit rotate stripe-api-key # Mark as rotated (updates date)
mpx-secrets-audit remove old-api-key # Stop trackingReports
mpx-secrets-audit report # Text report
mpx-secrets-audit report --format json # JSON (Pro)
mpx-secrets-audit report --format markdown # Markdown (Pro)
mpx-secrets-audit report --format markdown --output report.md
mpx-secrets-audit report --pdf audit-report.pdf # PDF exportCloud Scanners (Pro)
# AWS IAM key discovery
mpx-secrets-audit scan-aws
mpx-secrets-audit scan-aws --auto-add
# GitHub PAT verification
GITHUB_TOKEN=ghp_xxx mpx-secrets-audit scan-github
GITHUB_TOKEN=ghp_xxx mpx-secrets-audit scan-github --auto-addStatus Logic
| Status | Emoji | Criteria | |--------|-------|----------| | Healthy | 🟢 | Within rotation policy, not near expiry | | Warning | 🟡 | >75% through rotation policy OR <30 days to expiry | | Critical | 🔴 | Past rotation policy OR <7 days to expiry | | Expired | ⛔ | Past expiry date |
AI Agent Usage
mpx-secrets-audit is designed to be used by AI agents as well as humans.
JSON Output
Add --json to any command for structured, machine-readable output:
mpx-secrets-audit check --json{
"success": true,
"total": 5,
"summary": {
"healthy": 3,
"warning": 1,
"critical": 1,
"expired": 0
},
"secrets": { ... },
"actionRequired": true
}Schema Discovery
mpx-secrets-audit --schemaReturns a complete JSON schema describing all commands, flags, inputs, outputs, and examples.
MCP Integration
Add to your MCP client configuration (Claude Desktop, Cursor, Windsurf, etc.):
{
"mcpServers": {
"mpx-secrets-audit": {
"command": "npx",
"args": ["mpx-secrets-audit", "mcp"]
}
}
}The MCP server exposes these tools:
init— Create config fileadd_secret— Add secret to tracklist_secrets— List all secrets with statuscheck_secrets— Run full auditremove_secret— Remove secret from trackingrotate_secret— Mark secret as rotatedget_schema— Get full tool schema
Exit Codes
| Code | Meaning |
|------|---------|
| 0 | All secrets healthy |
| 1 | Warnings found (with --fail-on warning) |
| 2 | Critical or expired secrets found |
Automation Tips
- Use
--jsonfor machine-parseable output - Use
--quietto suppress banners and progress info - Use
--cifor automation-friendly exit codes - Pipe output to
jqfor filtering
CI/CD Integration
# .github/workflows/secret-audit.yml
name: Secret Audit
on:
schedule:
- cron: '0 9 * * 1'
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- run: npx mpx-secrets-audit check --ci --fail-on warningFree vs Pro
| Feature | Free | Pro | |---------|------|-----| | Secrets tracked | Up to 10 | Unlimited | | Manual entry | ✅ | ✅ | | Check and list commands | ✅ | ✅ | | Text reports | ✅ | ✅ | | PDF reports | ✅ | ✅ | | CI/CD exit codes | ✅ | ✅ | | MCP server | ✅ | ✅ | | JSON/Markdown reports | ❌ | ✅ | | AWS IAM scanner | ❌ | ✅ | | GitHub PAT scanner | ❌ | ✅ | | Team sharing | ❌ | ✅ |
Upgrade to Pro: Coming soon!
Security Notes
- No actual secret values are stored — only metadata (names, dates, providers)
- Config files contain no credentials — just tracking information
- Safe to commit to version control (consider
.gitignorefor.secrets-audit.json) - Cloud scanners never expose secret values, only metadata
License
Dual License — Free tier for personal use, Pro license for commercial use and advanced features. See LICENSE for full terms.
Links
- Website: https://mesaplex.com
- npm: https://www.npmjs.com/package/mpx-secrets-audit
- GitHub: https://github.com/mesaplexdev/mpx-secrets-audit
- Support: [email protected]
Related Tools
- mpx-scan — Website security scanner
- mpx-api — API testing, mocking, and documentation
- mpx-db — Database management CLI
Made with ❤️ by Mesaplex