{"id":18317189,"url":"https://github.com/ibotta/sopstool","last_synced_at":"2026-04-02T02:05:24.653Z","repository":{"id":29910563,"uuid":"119301074","full_name":"Ibotta/sopstool","owner":"Ibotta","description":"SOPS multi-file wrapper","archived":false,"fork":false,"pushed_at":"2025-02-17T16:18:08.000Z","size":211,"stargazers_count":38,"open_issues_count":10,"forks_count":5,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-03-21T12:06:55.928Z","etag":null,"topics":["aws","devops","golang","kms","pgp","secret-distribution","secrets-management","sops"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Ibotta.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-01-28T21:50:43.000Z","updated_at":"2025-02-17T16:18:10.000Z","dependencies_parsed_at":"2024-04-29T15:42:25.930Z","dependency_job_id":"4bc33c04-56bd-4348-8cd8-a739022ac8b2","html_url":"https://github.com/Ibotta/sopstool","commit_stats":null,"previous_names":[],"tags_count":18,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ibotta%2Fsopstool","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ibotta%2Fsopstool/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ibotta%2Fsopstool/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ibotta%2Fsopstool/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Ibotta","download_url":"https://codeload.github.com/Ibotta/sopstool/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247406038,"owners_count":20933803,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","devops","golang","kms","pgp","secret-distribution","secrets-management","sops"],"created_at":"2024-11-05T18:05:21.929Z","updated_at":"2025-10-19T02:51:32.678Z","avatar_url":"https://github.com/Ibotta.png","language":"Go","readme":"# sopstool\n\n## sopstool EOL\n\nPlease note, this project is no longer maintained. The [sops](https://getsops.io/) program itself has added a number of features that make this project redundant, and usage of the tool has largely migrated to using AWS Secrets Manager or AWS Parameter Store. This project is archived, and will not be updated.\n\nThe additional install repositories (https) are also deprecated and will be removed in the future.\n\nThe last release of sopstool was [1.2.1](https://github.com/Ibotta/sopstool/releases/tag/v1.2.1).\n\n## Introduction\n\nsopstool is a multi-file wrapper around [sops](https://github.com/getsops/sops). It uses the sops binary to encrypt and decrypt files, and piggybacks off the .sops.yaml configuration file.\n\nsopstool provides functionality to manage multiple secret files at once, and even use as an entrypoint to decrypt at startup, for container images. Much of this behavior is inspired by the great [blackbox project](https://github.com/StackExchange/blackbox).\n\n- [sopstool](#sopstool)\n\t- [sopstool EOL](#sopstool-eol)\n\t- [Introduction](#introduction)\n\t- [1.0.0 Release and Breaking Changes](#100-release-and-breaking-changes)\n\t- [Installation](#installation)\n\t\t- [Package Repositories](#package-repositories)\n\t\t- [Container Image](#container-image)\n\t\t- [Packages or binaries from Releases](#packages-or-binaries-from-releases)\n\t\t- [Shell installer](#shell-installer)\n\t\t- [Installing sops manually](#installing-sops-manually)\n\t\t\t- [Installing the sops binary with our script installer](#installing-the-sops-binary-with-our-script-installer)\n\t\t\t- [Download sops from our https mirror (deprecated)](#download-sops-from-our-https-mirror-deprecated)\n\t\t- [Installing sopstool manually](#installing-sopstool-manually)\n\t\t\t- [Installing the sopstool binary using our script installer](#installing-the-sopstool-binary-using-our-script-installer)\n\t\t\t- [Download sopstool from our https mirror (deprecated)](#download-sopstool-from-our-https-mirror-deprecated)\n\t- [Usage](#usage)\n\t- [Configuration](#configuration)\n\t- [How-To](#how-to)\n\t\t- [Walkthrough](#walkthrough)\n\t- [Contributing](#contributing)\n\t\t- [docs](#docs)\n\n## 1.0.0 Release and Breaking Changes\n\n1.0.0 release of `sopstool` introduces M1 / darwin-arm64 support. We also want to match build artifacts produced by GoReleaser to what `sops` produces. Therefore, this version introduces a breaking change where we no longer produce artifacts like `sopstool_linux.(deb|rpm|tar.gz)` and `sopstool_darwin.tar.gz`. Instead, you'll see artifacts like `sopstool_darwin_(arm64|amd64)_(deb|rpm|tar.gz)` and `sopstool_linux_(arm64|amd64)_(deb|rpm|tar.gz)` in future releases.\n\n## Installation\n\n### Package Repositories\n\nsopstool is available in the following repositories\n\n- homebrew via the `Ibotta/public` tap: `brew install Ibotta/public/sopstool`\n- asdf (and mise) via the `sopstool` plugin: `asdf plugin add sopstool`\n\n### Container Image\n\nImages are tagged with the same version numbering as the releases, and `latest` always gets the latest release. Note that your image will need root CA certificates (typically installed with curl, or a `ca-certificates` package).\n\nTo use sopstool from container (avoiding doing binary installs):\n\n```sh\ndocker run --rm -v $(pwd):/work -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_REGION -e AWS_SECURITY_TOKEN -e AWS_SESSION_TOKEN ghcr.io/ibotta/sopstool:latest $COMMAND\n```\n\n- `sopstool` is the entrypoint, so any sopstool subcommand can be run.\n- `/work` is the default WORKDIR - this should be mounted to the root where `.sops.yml` is stored.\n- The commands need access to your AWS credentials session to authenticate KMS.\n\nOr, use as a COPY source in your Dockerfile. `sops` and `sopstool` are in `/usr/local/bin/`:\n\n```docker\nCOPY --from=ghcr.io/ibotta/sopstool:latest usr/local/bin/sops usr/local/bin/sopstool /usr/local/bin/\n```\n\n### Packages or binaries from Releases\n\nCheck the [Releases](https://github.com/Ibotta/sopstool/releases) for the latest artifacts\n\n- Binaries (compressed as .tar.gz or .zip) (note, you will need `sops` installed manually)\n- RPM, Debian and APK packages\n\nAll artifacts have their sha256 checksums recorded in `sopstool_checksums.txt`, and SPDX SBOM artifacts are available.\n\n### Shell installer\n\nThe most direct install uses a shell script hosted in this repository. This script will install the latest sops (if the command does not exist) and sopstool to `./bin` by default.\n\n```sh\ncurl https://raw.githubusercontent.com/Ibotta/sopstool/main/install.sh | bash\n```\n\n- Override the sops version with the `-s` argument\n- Override the sopstool version with the `-t` argument\n- Override the binary install location with the `-b` argument\n  - remember, you may need `sudo` or root access if you are installing to `/usr/*`\n\nExample with overrides:\n\n```sh\ncurl https://raw.githubusercontent.com/Ibotta/sopstool/main/install.sh | bash -s -- -b /usr/local/bin -s 3.0.0 -t 0.3.0\n```\n\n### Installing sops manually\n\nsopstool requires [sops](https://github.com/getsops/sops). You can use one of the following methods:\n\n- From one of the public repositories (it is available in most)\n- From the [official releases](https://github.com/getsops/sops/releases)\n\n#### Installing the sops binary with our script installer\n\nThe install script above uses a separate script to download sops\n\n```sh\ncurl https://raw.githubusercontent.com/Ibotta/sopstool/main/sopsinstall.sh | bash\n```\n\n- Override the tag with the first shell argument (defaults to latest)\n- Override the binary install location with the -b flag (defaults to `/.bin`)\n\n#### Download sops from our https mirror (deprecated)\n\n\u003e Note this method is deprecated, and will be removed in the future. Use one of the other methods instead.\n\nTo avoid needing to find the 'latest' binary by hand or by script, use our https server to download the binary. The latest binary is uploaded automatically whenever sopstool is deployed. The file has the pattern `sops_$OS_$ARCH`, except for `windows`\n\n- OS: `linux`, `darwin`\n  - ARCH: `amd64`, `arm64`\n  - filenames: `sops_$OS_$ARCH.tar.gz`\n- OS: `windows`\n  - ARCH `amd64` only\n  - filename: `sops_windows.zip`\n- Versions\n  - latest: `https://oss-pkg.ibotta.com/sops/$filename`\n  - specific tags: `https://oss-pkg.ibotta.com/sops/$TAG/$filename`\n\n### Installing sopstool manually\n\nFollowing the lead of [sops](https://github.com/getsops/sops), we only build 64bit binaries.\n\n#### Installing the sopstool binary using our script installer\n\nThe install script above uses a separate script to download sopstool\n\n```sh\ncurl https://raw.githubusercontent.com/Ibotta/sopstool/main/sopstoolinstall.sh | bash\n```\n\n- Override the tag with the first shell argument (defaults to latest)\n- Override the binary install location with the -b flag (defaults to `/.bin`)\n\n#### Download sopstool from our https mirror (deprecated)\n\n\u003e Note this method is deprecated, and will be removed in the future. Use one of the other methods instead.\n\nTo avoid needing to find the 'latest' binary by hand or by script, use our https server to download the binary. The latest binary is uploaded automatically whenever sopstool is deployed.\n\n- OS: `linux`, `darwin`\n  - ARCH: `amd64`, `arm64`\n  - filenames: `sopstool_$OS_$ARCH.tar.gz`\n- OS: `windows`\n  - ARCH: `amd64`, `arm64`\n  - filename: `sopstool_windows_$ARCH.zip`\n- Versions\n  - latest: `https://oss-pkg.ibotta.com/sopstool/$filename`\n  - specific tags: `https://oss-pkg.ibotta.com/sopstool/$TAG/$filename`\n\nAdditionally, all other release assets are also within this folder. This includes the checksums, packages, SBOMS, as well as installers:\n\n- `https://oss-pkg.ibotta.com/sopstool/install.sh` for the combined installer\n- `https://oss-pkg.ibotta.com/sopstool/sopsinstall.sh` for the sops installer\n- `https://oss-pkg.ibotta.com/sopstool/sopstoolinstall.sh` for the sopstool installer\n\n## Usage\n\nThis is a package that builds a single binary (per architecture) for wrapping [sops](https://github.com/getsops/sops) with multi-file capabilities.\n\nFor more details, use the built-in documentation on commands:\n\n```sh\nsopstool -h\n```\n\nto get the shell completion helpers:\n\n```sh\n#!/usr/bin/env bash\nsopstool completion\n```\n\n```sh\n#!/usr/bin/env zsh\nsopstool completion --sh zsh\n```\n\n## Configuration\n\n1. use a [`.sops.yaml`](https://github.com/getsops/sops#using-sops-yaml-conf-to-select-kms-pgp-for-new-files) file\n\n   - This will be at the root of your project. This file is used to both configure keys and hold the list of files managed.\n   - It needs to specify at least one KMS key accessible by your environment\n\n     ```yaml\n     creation_rules:\n       - kms: arn:aws:kms:REGION:ACCOUNT:key/KEY_ID\n     ```\n\n   - it can specify more complex cases of patterns vs keys too (see link)\n\n## How-To\n\n1. Create a [KMS Key](https://aws.amazon.com/kms/).\n1. Follow along the [Configuration Steps](https://github.com/Ibotta/sopstool/tree/main/#configuration), and place the `.sops.yaml` file at the root directory where your scripts will run.\n   - All files added to SOPS are relative, or in child directories to the `.sops.yaml` configuration file.\n1. Create a file to encrypt(any extension other than `.yaml` if you wish to do the **ENTIRE** file), or create a yaml file with `key: value` pairs(and make sure it's extension is `.yaml`). Sops will encrypt the values, but not it's keys.\n   - You can read more about [SOPS Here](https://github.com/getsops/sops).\n1. At this point, `sopstool` is ready, and you can now `sopstool add filename`. You'll notice it will create a `filename.sops.extension`. This is your newly encrypted file.\n   - When your files are properly encrypted, you can run `sopstool clean` to remove the original plain text secret files.\n1. Now, you can interact via the command line in various ways.\n   - **Editing an encrypted file** - `sopstool edit filename.sops.extension`. You can also use your original filename too! `sopstool edit filename.extension`\n   - **Listing all encrypted files** - `sopstool list`\n   - **Removing encrypted file** - `sopstool remove filename.extension`\n   - **Display the contents of encrypted file** - `sopstool cat filename.extension`\n\n### Walkthrough\n\nIn this walkthrough, we will go through the steps required to get a secure yaml configuration file running.\n\n1. Configure your `.sops.yaml`\n\n   ```yaml\n   # .sops.yaml\n   creation_rules:\n     - kms: arn:aws:kms:REGION:ACCOUNT:key/KEY_ID\n   ```\n\n1. Create a secrets yaml configuration file\n\n   ```yaml\n   # credentials.yaml\n   database.password: supersecretdb\n   database.user: supersecretpassword\n   redshift:\n     user: my.user.name\n     password: my.password\n   ```\n\n1. Encrypt the newly created file\n\n   ```sh\n   sopstool add credentials.yaml\n   ```\n\n1. Create a sample script\n\n   ```python\n   # myscript.py\n   import yaml\n   with open('credentials.yaml', 'r') as f:\n       credentials = yaml.load(f)\n\n   print credentials[\"database.user\"]\n   print credentials[\"database.password\"]\n   print credentials[\"redshift\"][\"user\"]\n   print credentials[\"redshift\"][\"password\"]\n   ```\n\n1. Here is what your folder structure would look like to this point(after deleting the unencrypted credentials.yaml file)\n\n   ```text\n   my-project/\n   ├── .sops.yaml\n   ├── credentials.sops.yaml\n   └── myscript.py\n   ```\n\n1. Accessing credentials\n\n   The flow should be as follows: decrypt credentials -\u003e run script -\u003e destroy credentials. You can use the `sopstool entrypoint` to achieve this.\n\n   ```sh\n   sopstool entrypoint python myscript.py\n   ```\n\n## Contributing\n\nBug reports and pull requests are welcome at \u003chttps://github.com/Ibotta/sopstool\u003e\n\n### docs\n\nGenerate markdown docs for the commands via\n\n```sh\nsopstool docs\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fibotta%2Fsopstool","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fibotta%2Fsopstool","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fibotta%2Fsopstool/lists"}