Star
Docs Commands

Directory-scoped secrets manager

Store secrets outside your repos, inherit them through directory ancestry. Export to any shell format.

Get Started GitHub
terminal
# Set a secret for your project
$ burrow set API_KEY=sk-live-abc123

# Export to your shell
$ eval "$(burrow export)"

# Secrets inherit through directories
$ burrow list
API_KEY  sk-live-abc123  ~/projects

Install

Single binary, no dependencies.

$ curl -fsSL https://i.safia.sh/captainsafia/burrow | sh

Why Burrow?

Built for developers who want simple, secure local secret management.

Directory Scoping

Secrets are scoped to directories and inherited through ancestry, just like .gitignore.

Outside Repos

Secrets stored in your user profile directory, never accidentally committed.

Shell Export

Export to bash, zsh, fish, PowerShell, cmd, dotenv, or JSON formats.

Auto-load

Direnv-style automatic loading when you cd into trusted directories.

Single Binary

No runtime dependencies. Written in TypeScript, compiled with Bun.

Library API

Also works as a TypeScript/JavaScript library via npm.

Usage

Common workflows and examples for using Burrow.

Set a secret

Set a secret using KEY=VALUE format:

burrow set API_KEY=sk-live-abc123

Or use separate arguments for key and value:

burrow set API_KEY sk-live-abc123

Omit the value to be prompted securely via stdin:

burrow set API_KEY

Set a secret for a specific path:

burrow set DATABASE_URL=postgres://localhost/mydb --path ~/projects

Get a secret

Get a secret value (resolved from directory ancestry):

burrow get API_KEY

Get with JSON output:

burrow get API_KEY --format json

Redact the secret value (useful for logging):

burrow get API_KEY --redact

List all secrets

List all resolved secrets for the current directory:

burrow list

Output as JSON:

burrow list --format json

Redact secret values (useful for auditing):

burrow list --redact

Export to shell

Export secrets as environment variables (auto-detects your shell):

eval "$(burrow export)"

Use with a command:

eval "$(burrow export)" && npm start

Or specify a format explicitly:

burrow export --format fish

Auto-load secrets

Set up automatic loading when you enter a trusted directory:

# Install the shell hook (one-time setup)
burrow init

# Trust a project directory
cd ~/projects/myapp
burrow trust .

Once set up, secrets load automatically when you cd into trusted directories.

Commands

Command Description
burrow set <key> [value] Set a secret at the given path
burrow get <key> Get a secret resolved from cwd ancestry
burrow list List all resolved secrets for cwd
burrow export Export secrets as environment variables
burrow unset <key> Block a secret at the given path
burrow remove <key> Remove a secret entry entirely
burrow trust [path] Trust a directory for auto-loading
burrow untrust [path] Remove trust from a directory
burrow init [shell] Install the shell hook for auto-loading
burrow hook <shell> Output shell hook code
burrow version Show version information
burrow help [command] Show help information

Library Usage

Burrow also works as a TypeScript/JavaScript library. Install it via npm:

npm install @captainsafia/burrow

Then use it in your code:

import { BurrowClient } from '@captainsafia/burrow';

const client = new BurrowClient();

try {
  // Set a secret
  await client.set('API_KEY', 'secret123', { path: '/my/project' });

  // Get a secret (resolved through ancestry)
  const secret = await client.get('API_KEY', { cwd: '/my/project/subdir' });
  console.log(secret?.value);       // 'secret123'
  console.log(secret?.sourcePath);  // '/my/project'

  // List all secrets
  const allSecrets = await client.list({ cwd: '/my/project' });
} finally {
  client.close(); // Clean up database connection
}