This tool is designed to make git pre-commit hooks for validating sops encryption in a respository easier. It accepts a list of modified files or a pipe from stdin. It will source a .sops.yaml config file from the current working directory in the same fashion as sops. If a sops config is found, it will determine which files in the change set match creation_rules from config and attempt to decrypt them into memory to validate encryption. If there is no sops configuration, it is assumed that the list of files is prefiltered to only include sops encrypted files and all files are validated via decryption.
Decryption is the most effective validation tool for an encrypted file and the author would already need to have access to the encryption keys to create the change set.
- Build the tool and import the test key.
make install
cd example
gpg --import ./infra_test_key.asc
cat .sops.yaml
- Create a new file in the secrets directory. Note: you will have to edit the default file to save
sops secrets/new_file.yaml
- Add the new encrypted file to the cached changes, and pass the change set to the tool.
git add secrets/new_file.yaml
git diff --name-only --cached --relative | sops-precommit