validate-sops is a Python utility designed to validate that specified files are encrypted using Mozilla SOPS (Secrets OPerationS). It ensures that sensitive files committed to your repository are securely encrypted, preventing accidental exposure of secrets.
The utility supports validation for files in the following formats:
- JSON (.json)
- YAML (.yaml and .yml)
- Environment files (.env)
- Validates multiple files for SOPS encryption.
- Easily integrated into pre-commit hooks for automated validation.
- Provides clear error messages for non-compliant files.
To use validate-sops as a pre-commit hook in your projects, add the following configuration to your .pre-commit-config.yaml file:
repos:
- repo: https://github.com/voldy/validate-sops
rev: 'v0.1.1' # Use the latest commit SHA or tag
hooks:
- id: validate-sops
# Adjust based on your file(s) location and type(s)
files: '.*\/secrets\/encrypted\.(yaml|yml|json|env)$'Ensure that the file paths and types specified in the files regex pattern match the location and formats of the files you intend to validate in your project.
The following instructions are intended for contributors and developers working on the validate-sops utility itself.
This project uses Poetry for dependency management and package handling. Ensure you have Poetry installed on your system.
To set up validate-sops for local development, follow these steps:
- Clone the repository:
git clone https://github.com/voldy/validate-sops.git
cd validate-sops- Install dependencies using Poetry:
poetry install- Set up the pre-commit hooks:
After configuring
.pre-commit-config.yamlin your project, run the following command to set up the git hook scripts:
pre-commit install- To manually execute all configured pre-commit hooks on all files, run:
poetry run pre-commit run --all-filesThis step is useful for testing the hooks before committing.
To run the unit tests for validate-sops, use the following command:
poetry run pytestIf you're making changes to validate-sops and want to test these changes within the context of another project that uses validate-sops as a pre-commit hook, you can leverage the pre-commit try-repo command. This allows you to run your locally modified version of validate-sops directly in the consuming project without needing to commit or push your changes.
Here's how you can test your local changes to validate-sops in another project:
- Navigate to the root directory of the project where
validate-sopsis integrated as a pre-commit hook. - Run the following command:
pre-commit try-repo /local/path/to/validate-sops validate-sops --verbose --all-filesReplace /local/path/to/validate-sops with the actual path to your local clone of the validate-sops repository.
Note: The try-repo command allows you to temporarily include your local version of validate-sops in the pre-commit configuration of the consuming project. This enables you to test uncommitted changes in validate-sops directly, making it easier to iterate on your development before finalizing your changes.
Contributions to validate-sops are welcome! Please feel free to submit pull requests or open issues to suggest improvements or report bugs.
Vladimir Zhukov
validate-sops is licensed under the MIT License. See the LICENSE file in the project root for the full license text.
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
