30 open-source projects similar to openbao/openbao, ranked by how many features they have in common. Compare stars, activity and what each one does to find the best Openbao alternative.
Vault is a centralized secrets management platform designed to secure, store, and control access to sensitive credentials such as API keys, passwords, certificates, and encryption keys. At its core, the system employs a barrier-based cryptographic sealing mechanism that requires an unseal process to decrypt internal storage, ensuring that sensitive data remains protected. It provides identity-based access control to manage granular permissions across distributed infrastructure, effectively centralizing security policies and authentication for both human and machine workloads. What distinguish
Pulumi is an infrastructure-as-code framework that enables the definition, deployment, and management of cloud resources using general-purpose programming languages. It functions as a cloud resource orchestrator that coordinates the lifecycle of heterogeneous infrastructure by executing code to construct dependency graphs and reconciling the desired state against actual cloud environments. The platform distinguishes itself through a language-host runtime bridge that allows developers to use standard programming languages to define infrastructure, rather than relying solely on domain-specific
The AWS Cloud Development Kit is an infrastructure-as-code framework that enables developers to define and provision cloud resources using familiar programming languages. By utilizing construct-based synthesis, it translates high-level, object-oriented code into declarative templates, allowing for the automated management of complex cloud environments through a centralized, code-driven control plane. The framework distinguishes itself through its ability to model infrastructure as a dependency-aware resource graph, ensuring that components are provisioned and updated in the correct order. It
Octelium is a zero-trust network access platform and identity-aware proxy designed to secure private HTTP, SSH, and SQL resources. It functions as a secure gateway that validates human and workload identities using OIDC, SAML, and FIDO2 passkeys before granting access to internal applications and SaaS APIs. The system is distinguished by its secretless access broker, which injects credentials—such as API keys, passwords, and AWS Sigv4 signatures—at the gateway level so users can access databases and cloud resources without managing secrets. It further specializes in AI gateway administration,
This project is a web application security standard and vulnerability framework. It provides a comprehensive list of the most critical security risks facing web applications, paired with technical guidance and a structured methodology for identifying and mitigating these flaws. The framework functions as a secure coding guide and a risk assessment methodology, offering a standardized approach to prioritizing vulnerabilities based on their potential impact and likelihood of exploitation. It defines architectural patterns and technical recommendations to help developers implement defense in dep
Rocky is an open-source enterprise operating system designed for server and cloud infrastructure. It is a community-maintained Linux server distribution that provides a platform focused on stability and security. The project is fundamentally a Red Hat Enterprise Linux compatible operating system, maintaining bug-for-bug binary compatibility to ensure identical software behavior. This allows it to serve as an enterprise-grade platform without proprietary licensing. The distribution covers a broad range of system administration capabilities, including package management via modular repository
Solid is a protocol and ecosystem for decentralized web applications that separates application logic from data storage. It enables users to store and control their personal information in personal online data stores, known as Pods, ensuring that individuals own their data rather than the applications they use. The project provides a framework for decentralized identity and authentication using WebID and OpenID Connect, decoupling identity from central providers. It implements a resource-level permission system via Web Access Control, allowing users to grant or deny read, write, and append ac
Teleport is a zero-trust access platform designed to provide secure, identity-based connectivity to servers, databases, and Kubernetes clusters. It functions as a centralized gateway that replaces static credentials with short-lived, identity-bound cryptographic certificates, effectively eliminating the need for traditional VPNs and long-term secret exposure. The platform distinguishes itself by orchestrating access through a unified control plane that maps external identity provider claims to granular, role-based infrastructure permissions. It enforces security through mutual TLS gateways an
Pangolin is a zero-trust remote access platform designed to provide secure, identity-aware connectivity to private network resources. It functions as a cloud-native network controller that orchestrates encrypted tunnels, traffic routing, and access policies across distributed environments. By leveraging WireGuard for secure data transport, the platform enables authenticated access to internal web applications, terminal sessions, and remote desktops without exposing services to the public internet. The platform distinguishes itself through a declarative infrastructure model that synchronizes n
RuoYi is a Spring Boot admin framework designed for building enterprise applications. It provides a foundation for creating management dashboards and orchestrating systems using either monolithic or microservices architectures. The project features a low-code application generator that produces ready-to-compile source code and API documentation based on database table configurations. It implements a role-based access control system to map users and roles to specific menus and buttons for secure resource access. The framework includes capabilities for system health monitoring, real-time perfo
Cube is a semantic data layer that provides a unified framework for defining business metrics, dimensions, and relationships across diverse data sources. By acting as a headless business intelligence engine, it transforms raw data into a governed model that can be queried via SQL, REST, and GraphQL interfaces. This architecture ensures consistent data definitions and logic across all downstream analytical applications and reporting tools. The platform distinguishes itself through its integrated conversational AI capabilities, which allow users to explore data using natural language. It orches
Apollo is a centralized configuration management system designed to manage environment-specific application settings for microservices and servers. It serves as a central store for properties, YAML, and JSON data, providing a platform for versioning, auditing, and the dynamic delivery of configurations. The system distinguishes itself through a dynamic delivery platform that supports real-time configuration pushes and grayscale releases. This allows updates to be rolled out to a small subset of service instances as a canary deployment to validate stability before a full fleet update. Governa
ToolJet is a low-code development platform designed for building and deploying internal business applications. It provides a visual interface where users can drag and drop components to design layouts, connect to various data sources, and execute custom logic. The platform is built on a containerized architecture, ensuring that applications remain portable and consistent across different cloud and server environments. The platform distinguishes itself through integrated artificial intelligence capabilities that assist in the generation of user interfaces, database schemas, and data queries fr
lakeFS is a data lake versioning system that provides Git-like branching and commits for large datasets stored in object storage. It functions as a version control layer, enabling the creation of immutable snapshots, atomic commits, and zero-copy branching to create isolated environments for data experimentation without duplicating physical files. The system serves as an S3-compatible storage gateway and an Iceberg REST catalog, allowing standard cloud storage protocols and compatible clients to manage versioned tables. It acts as a data quality gatekeeper by using an event-driven hook system
Parse Server is a backend-as-a-service solution and Node.js framework that provides a ready-to-use REST and GraphQL API for mobile and web applications. It functions as a core backend infrastructure for managing database schemas, user authentication, and API routing. The system distinguishes itself with a real-time data engine that pushes database updates to clients via WebSockets and a GraphQL server that automatically generates schemas based on application data models. It also features an adapter-based storage layer that abstracts interactions with various cloud and local backends. The pla
Screwdriver is a continuous delivery platform designed to orchestrate automated build, test, and deployment workflows. It functions as a containerized build orchestrator that manages the entire delivery lifecycle, from event-driven pipeline triggering to the execution of tasks within isolated, pluggable container environments. The platform distinguishes itself through a modular architecture that decouples build logic from underlying compute resources, allowing for consistent execution across diverse infrastructures. It provides robust pipeline configuration management, enabling teams to defin
Casbin is an authorization library that provides a model-based engine for enforcing access control across diverse application environments. It decouples authorization logic from application code by using a configuration-driven approach, allowing developers to define access rules and evaluation logic independently. The system supports a wide range of access control models, including role-based, attribute-based, and relationship-based patterns, which are evaluated at runtime to determine if a subject is permitted to perform an action on a resource. The project distinguishes itself through a hig
Terminus is a multifunctional terminal emulator and connection manager designed for managing remote server shells and local hardware device connections. It functions as a customizable shell interface and a cross-platform serial client, supporting communication via SSH, Telnet, and serial ports. The application features an extensible system that allows the integration of third-party plugins, such as AI assistants and additional connectivity tools. It includes a dedicated SSH connection manager with support for jump hosts, port forwarding, and the storage of sensitive credentials within encrypt
Papra is a self-hosted document management system designed for digital archiving, organization, and retrieval. It serves as a centralized platform for storing files with a focus on security, providing an encrypted file archive using AES-256-GCM and a programmatic interface for managing documents and metadata via a REST API, SDK, and command line tools. The system distinguishes itself through an automated document ingestion engine that imports files via email forwarding, monitored folders, and webhook listeners. It further enhances discoverability by acting as an OCR document indexer, extracti
Ockam is an end-to-end encryption framework and distributed identity provider designed to establish secure communication between applications and devices. It provides a secure network overlay that utilizes cryptographic identities and attribute-based access control to implement zero trust network access. The project distinguishes itself through metadata-driven multi-hop routing and a pluggable transport layer, allowing encrypted traffic to move across diverse network topologies without requiring virtual IP overlays. It specifically enables secure tunneling for legacy applications by wrapping
Consul is a distributed coordination service and service mesh tool used for service discovery, health monitoring, and cluster state management across dynamic networks. It provides a platform for locating network addresses of services and managing traffic across distributed infrastructure using DNS and HTTP interfaces. The project distinguishes itself through multi-datacenter network orchestration, enabling the federation of services across different regions using mesh gateways. It secures communication via a service mesh architecture that employs identity-based authorization and mutual TLS en
Next Terminal is an enterprise bastion host platform that brokers and audits remote access to servers and devices. It functions as a centralized gateway unifying access to Windows, Linux, and legacy systems through a single authenticated interface, supporting RDP, SSH, VNC, Telnet, and HTTP protocols. The platform combines certificate management, policy-based access control, reverse tunnel agents, session recording, and web proxy interception into a unified security gateway. It deploys lightweight agents in internal networks that build reverse tunnels to a central site, eliminating per-locati
Paperclip is an LLM agent orchestration platform and governance suite designed to coordinate teams of autonomous AI agents. It provides a management plane for defining organizational hierarchies, assigning roles, and aligning individual agent tasks with a structured mission tree to ensure work maps to business objectives. The project distinguishes itself through a specialized agent skill registry and workspace manager. It allows for the discovery and injection of reusable workflows into agent runtimes without retraining and provides isolated, sandboxed execution environments with persistent s
The agent-governance-toolkit is a framework for enforcing security policies, managing zero-trust identities, and sandboxing the execution of autonomous AI agents. It provides a governance layer designed to control the behavior of agents through the use of a security policy engine, cryptographic identity management, and a runtime execution sandbox. The project distinguishes itself through a multi-tier privilege ring system and a cryptographic identity mesh that secures communication between autonomous entities. It implements a decay-based trust scoring mechanism to track entity reliability and
XNU is a hybrid operating system kernel that combines a microkernel architecture with a monolithic layer for system services. It provides a foundation for operating system development, incorporating standardized system-call interfaces, a modular device driver framework, and mandatory access control security. The architecture features a Mach-based microkernel and a BSD-based monolithic layer. It utilizes a message-passing inter-process communication bus for secure data exchange between isolated kernel components and user-space processes, alongside an object-oriented driver framework that decou
Digger is a GitOps infrastructure automation system and Terraform orchestrator. It enables the execution of infrastructure plans and applies directly from version control pull requests and CI pipelines. The project provides a framework for policy-based governance and state management. It enforces role-based access controls and custom security policies on infrastructure changes, while centrally storing state files with version history and access controls. The system manages infrastructure workflows through pull request comment triggers and remote execution. It includes capabilities for drift
Pundit is a Ruby authorization framework that implements policy-based access control. It maps domain models to dedicated logic classes that determine whether a user is permitted to perform specific actions on data objects. The framework utilizes plain Ruby objects to decouple authorization logic from the model. It includes mechanisms for data query scoping to filter record collections based on user permissions, as well as attribute-level permission control to restrict which specific model fields a user can modify. The system provides tools for authorization coverage verification to ensure se
Ockam is a zero-trust networking framework designed to secure data transit between distributed applications using an identity-based network overlay. It provides the primitives necessary to establish mutually authenticated and end-to-end encrypted connections, removing the reliance on traditional network-layer security. The project is distinguished by its use of attribute-based access control and verifiable credentials to manage trust at scale. It implements cryptographic identity rotation to maintain identity continuity and integrates with hardware-backed key management systems to secure priv
3proxy is a multi-protocol proxy server and network access control gateway. It functions as a network traffic forwarder capable of routing TCP and UDP traffic across HTTP, SOCKS, and various email and file protocols. The project provides specialized capabilities for secure traffic inspection, including the decryption and analysis of HTTPS and TLS streams through certificate spoofing and mutual authentication. It further supports client identity anonymization by routing outbound traffic through recursive upstream proxy chains. The software covers a broad range of network management functions,
react-native-mmkv is a synchronous mobile persistence system that provides an encrypted key-value store for mobile applications. It serves as a high-performance wrapper for the MMKV storage engine, eliminating asynchronous overhead by reading and writing values directly to disk. The project distinguishes itself through shared app group storage, which allows data access across multiple application extensions via a shared filesystem directory. It also provides state-synced storage hooks that automatically trigger component updates when stored key-value pairs change. The system covers a broad r