Secrets with Doppler

From the Doppler website:

the uncomplicated way to sync, manage, orchestrate, and rotate secrets across any environment or app config with easy to use tools.

With Doppler, we don't need secrets in plain-text distributed with .env files.

21RISK developers can acceess the secrets they need, and only the secrets they need.

Support for review environments

When a developer creates a new feature branch, we create a dedicated Doppler config. This makes it easy to experiment with new secrets and test things out, before moving to production.

In the beginning of 2024 we expect to start implement/test the framework for Automated Secrets Rotation Overview - read more here .

Proactively rotating secrets is widely accepted as necessary to maintain a strong security posture and mitigate risk. Given the hassle that can be involved with rotating secrets, it is often avoided.

Easy overview of secrets

Doppler makes it easy for us to get a complete overview, of all secrets used in 21RISK. For each secret, we can then review user access history and version history.

Doppler also gives us very good transparency, into what users (as well as programmatic) access has been given:

Security at Doppler

Doppler is supporting thousands of companies with their secrets, and use rigorous security testing . Doppler is SOC 2 certified.