Docs Open Dashboard
Built for security teams Mozilla SOPS Git-Native Zero Custody
How It Works
Governance without custody

Your secrets, governed.
Compliance you can see from CI.

Clef Pro is the hosted governance dashboard for the Clef CLI. See encryption metadata, track key rotation, enforce policies — without ever touching ciphertext.

Get Started Free View Documentation
100 %
of your secret files tracked from CI
0
ciphertext or decrypted values stored
< 5 min
to first governance report via clef report
Learn how teams govern secrets

Quick-start guides, CLI reference, and integration docs to help security teams set up governance and start tracking compliance in minutes.

Clef CLI Docs Cloud Docs
How it works

Install. Report. Govern.

Add one CI step and get a complete secrets governance dashboard in minutes.

01 — Install
Install the Clef CLI.

Install Clef, initialise your repo, and manage encrypted secrets with Mozilla SOPS. Clef works with age, PGP, AWS KMS, GCP KMS, and Azure Key Vault.

$ npm install -g @clef-sh/clef $ clef init Initialized clef in ./secrets
02 — Report
Add one CI step.

Run clef report in your pipeline. Clef sends encryption metadata — key types, rotation timestamps, recipient fingerprints — never ciphertext or decrypted values.

# .github/workflows/ci.yml - run: clef report env: CLEF_API_KEY: ${{ secrets.CLEF_API_KEY }}
03 — Govern
See your secrets matrix.

The namespace x environment grid shows rotation age, recipient count, and policy compliance for every encrypted file. Alerts fire when keys are overdue or missing.

Features

Why Clef Pro?

Governance without custody. See everything, touch nothing.

Secret File Matrix

Namespace x environment grid showing every encrypted file, its key type, recipient count, and compliance status — updated on every CI run.

Rotation Tracking

See when every key was last rotated. Get alerted when rotation policies are violated — before an auditor asks.

Policy Enforcement

Define governance rules — max rotation age, required key types, minimum recipients — and enforce them automatically on every report.

Recipient Audit

See exactly who has access to each secret file via their encryption key fingerprints. No more guessing who can decrypt what.

CI Pipeline Integration

One clef report step in GitHub Actions, GitLab CI, or any pipeline. Reports flow in automatically on every push.

Governance Without Custody

Clef Pro never sees ciphertext or decrypted values. Only encryption metadata flows to the dashboard — your secrets stay in your repo.

Pricing

The CLI is free. The dashboard is worth paying for.

Clef CLI and runtime agent are open source and always free. Clef Pro adds the governance UI your team and auditors need.

Open Source
CLI + runtime agent
$0 / forever
No account required
Included
  • Lint, drift, and report commands
  • Runtime secret delivery (VCS API + age)
  • SOPS encryption & key management
  • Push to any OTLP-compatible backend
  • CI/CD integration (GitHub Actions, etc.)
View on GitHub
Team
15 integrations · 10 members
$49 / mo
Flat rate · no per-seat fees
Everything in OSS, plus
  • Governance dashboard
  • Secret file matrix (namespace x env)
  • Cross-repo health & drift view
  • Alert notifications (email + webhook)
  • 1-year report & OTLP retention
  • Team RBAC (5 roles)
  • CSV + PDF export
Start Trial
Enterprise
Unlimited integrations · members
Custom
Annual contract
Everything in Team, plus
  • Unlimited report history
  • SOC 2 compliance export
  • SSO (SAML / OIDC)
  • Custom retention policies
  • Dedicated support
  • SLA
Contact Sales
The Clef CLI is open source and free forever. Clef Pro plans include a 14-day free trial.

Ready to govern your secrets?

Clef Pro gives your team a single, live view of every encrypted secret file — with compliance status built in. No ciphertext ever leaves your repo.

Open Clef Pro