https://github.com/blueshoe/ensure-sops-pre-commit-and-action
A pre-commit hook and a GitHub action to ensure that files are SOPS encrypted.
https://github.com/blueshoe/ensure-sops-pre-commit-and-action
actions github-actions precommit precommit-hooks sops
Last synced: 2 months ago
JSON representation
A pre-commit hook and a GitHub action to ensure that files are SOPS encrypted.
- Host: GitHub
- URL: https://github.com/blueshoe/ensure-sops-pre-commit-and-action
- Owner: Blueshoe
- License: mit
- Created: 2025-09-22T14:19:41.000Z (3 months ago)
- Default Branch: main
- Last Pushed: 2025-10-22T09:50:56.000Z (2 months ago)
- Last Synced: 2025-10-22T11:27:35.338Z (2 months ago)
- Topics: actions, github-actions, precommit, precommit-hooks, sops
- Language: Shell
- Homepage:
- Size: 15.6 KB
- Stars: 1
- Watchers: 0
- Forks: 0
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# ensure-sops-pre-commit-and-action
A pre-commit hook and a GitHub action to ensure that files are SOPS encrypted.
Our main usage for SOPS is to directly encrypt Kubernetes Secrets.
Out of this, this pre-commit hook and GitHub action have been developed.
We SOPS-encrypt the K8s secrets with following settings: `unencrypted_regex: "^(apiVersion|metadata|kind|type)$"`.
This hook and action check, whether the file has a top-level key called `sops:`.
The pre-commit hook and the action both ignore the files with the basename `.sops.yaml`, as that contains the SOPS-configuration.
## pre-commit hook
### Example usage
Just add the following to your projects `.pre-commit-config.yaml`, to check whether all files that end in `.sops.yaml` are sops encrypted:
```yaml
# [...]
repos:
# [...]
- repo: https://github.com/Blueshoe/ensure-sops-pre-commit-and-action
rev: v1.0.0
hooks:
- id: forbid-unencrypted-sops
# only run this hook on files with .sops.yaml extension (excluding the actual .sops.yaml file)
files: .\.sops\.yaml$
```
Keep in mind, that the files to run it against need to be staged, i.e. run `git add .` (or something more specific) before running pre-commit.
## GitHub action
### Example usage
```yaml
name: "Check for unencrypted SOPS files"
on: [pull_request]
jobs:
sops-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: "Run SOPS encryption check"
uses: blueshoe/ensure-sops-pre-commit-and-action@v1.1.0
# You can override the default file pattern like this:
# with:
# files-pattern: '"**/*.secret.yaml"'
```