Infisical CLI

Infisical CLI is Infisical's command line for secret delivery and secret management from local development through CI and production. Beyond run and export, it also covers secret CRUD, leak scanning, machine-auth flows, dynamic secrets, SSH credentials, and infrastructure-facing agent or gateway commands.

• Inject project secrets into app processes, export them as dotenv, JSON, or YAML, or render them into files and templates for local dev, CI jobs, and production tasks.
• Read, set, delete, and organize secrets, folders, service tokens, and dynamic secret leases from scripts using logged-in users, service tokens, or machine identities.
• Scan repos or staged changes for leaked secrets, install pre-commit hooks, and use SSH, PAM, agent, gateway, relay, or proxy commands to deliver credentials and controlled access.

• Structured output is real but uneven: export --format=json, scan --report-format json, bootstrap --output json, and shared --output flags on secret, folder, and dynamic-secret commands support machine parsing.
• Once a skill standardizes INFISICAL_TOKEN, --silent, and explicit --projectId, --env, and --path usage, the CLI fits inspect, change, and verify loops well.
• First-run auth still has human friction because login prefers browser or interactive flows, and the CLI repo itself does not expose MCP even though the broader Infisical product has separate MCP features.

• Most useful commands require an Infisical account plus project setup, and self-hosted or EU deployments need consistent INFISICAL_API_URL or --domain usage.
• Commands like agent, gateway, relay, and proxy are operational components with config files and persistent processes, so they are heavier to adopt than simple one-shot secret reads.