security: pre-commit check for unencrypted stuff in secrets
This commit is contained in:
parent
8c0fb05b1e
commit
2204058c7b
1 changed files with 46 additions and 0 deletions
46
.githooks/pre-commit
Normal file
46
.githooks/pre-commit
Normal file
|
|
@ -0,0 +1,46 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
# Block commits that add/modify plaintext files under secrets/
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
# Find added/modified paths under secrets/ in the index
|
||||||
|
changed_files=$(git diff --cached --name-only --diff-filter=ACMR | grep -E '^secrets/' || true)
|
||||||
|
|
||||||
|
[ -z "$changed_files" ] && exit 0 # nothing to check
|
||||||
|
|
||||||
|
fail=0
|
||||||
|
msg="❌ Commit blocked: Unencrypted file(s) detected under secrets/.
|
||||||
|
Each file in secrets/ must be SOPS-encrypted (contain a top-level 'sops:' block).
|
||||||
|
Use 'sops <file>' to edit or 'sops --encrypt --in-place <file>' to encrypt."
|
||||||
|
|
||||||
|
while IFS= read -r f; do
|
||||||
|
if ! git cat-file -e ":$f" 2>/dev/null; then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
if [ -d "$f" ]; then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
content="$(git show ":$f" || true)"
|
||||||
|
if [ -z "$content" ]; then
|
||||||
|
echo " - $f (empty)"; fail=1; continue
|
||||||
|
fi
|
||||||
|
if echo "$content" | grep -qE '^[[:space:]]*sops:[[:space:]]*$|"sops"[[:space:]]*:'; then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
case "$f" in
|
||||||
|
*.age|*.gpg) continue ;;
|
||||||
|
esac
|
||||||
|
echo " - $f"
|
||||||
|
fail=1
|
||||||
|
done <<< "$changed_files"
|
||||||
|
|
||||||
|
if [ "$fail" -ne 0 ]; then
|
||||||
|
echo ""
|
||||||
|
echo "$msg"
|
||||||
|
echo ""
|
||||||
|
echo "Tips:"
|
||||||
|
echo " • Edit with SOPS: sops secrets/<file>.yaml"
|
||||||
|
echo " • Encrypt in place: sops --encrypt --in-place secrets/<file>.yaml"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
exit 0
|
||||||
Loading…
Add table
Add a link
Reference in a new issue