Best CLIs for Secrets, Auth, and Security

Generate and install locally trusted development TLS certificates for localhost, custom domains, and IPs.

HashiCorp CLI for reading and writing Vault secrets, managing auth, policies, tokens, and leases, and operating Vault clusters.

Security scanner for container images, repositories, filesystems, Kubernetes, and SBOMs, with vulnerability, misconfiguration, secret, and license checks.

Official ACME client from EFF for obtaining, renewing, and automating TLS certificates from the terminal.

Internet-scale port scanner for sweeping large IP ranges, finding open ports, and collecting basic service banners.

Official Infisical CLI for injecting, exporting, scanning, and managing secrets from Infisical projects.

Secrets scanning CLI for git history, directories, files, and stdin input.

File encryption CLI for encrypting and decrypting files with public keys, SSH keys, or passphrases.

Secrets file CLI for encrypting, decrypting, rotating, and editing YAML, JSON, dotenv, INI, and binary files with age, PGP, Vault, or cloud KMS keys.

Static analysis CLI for scanning code with Semgrep rules, custom patterns, CI checks, and optional autofixes.

Network scanner for host discovery, port scanning, service fingerprinting, OS detection, traceroute, and NSE script scans.

Vulnerability scanner for container images, filesystems, files, and SBOMs, with commands to query its local vulnerability database.

Git repository encryption CLI for transparently encrypting selected files and sharing access with collaborators.

Kubernetes CLI for sealing Secret manifests into encrypted SealedSecret resources for GitOps workflows.

Security scanner CLI for Terraform, Kubernetes, Dockerfiles, CI configs, and other infrastructure-as-code files.

SBOM generation CLI for container images, filesystems, and archives, with SPDX and CycloneDX output.

Terraform security scanning CLI for finding infrastructure misconfigurations in code and modules before apply.

Encrypted password-store CLI for managing secrets, recipients, OTP data, and git-backed shared stores.

Official Sigstore CLI for signing, verifying, and attesting container images, blobs, and other software artifacts.

Official Snyk CLI for testing dependencies, code, containers, and IaC for vulnerabilities, policy issues, and ongoing monitoring.

PKI CLI for operating step-ca, issuing and inspecting X.509 or SSH certificates, and running related crypto and OAuth workflows.

SSH security audit CLI for checking server or client algorithms, policies, and hardening posture.

HashiCorp CLI for authenticating to Boundary, managing access resources, and opening proxied sessions to targets.

Git secrets CLI for encrypting tracked files with GPG, managing who can decrypt them, and revealing them in local or CI workflows.

Official Bitwarden CLI for vault login, credential retrieval, item management, and Bitwarden Send from the terminal.

1Password CLI

1Password

647

Official CLI for accessing 1Password items, vaults, and secret references from the terminal. It also injects secrets into files, environment variables, and shell plugin auth flows.

Code analysis scanner CLI for SonarQube Server and SonarQube Cloud projects.

Secrets management CLI for Doppler projects, configs, service tokens, and secret-injected command runs.

Official Auth0 CLI for managing tenant resources, actions, logs, and login or token test flows from the terminal.

Non-interactive SSH password helper for scripting legacy systems that cannot use key-based authentication.

Official Okta CLI for developer org signup, login, OIDC app creation, sample app bootstrapping, and basic app management.