Skip to content

binbashing/sops-cop

BranchesTags

Repository files navigation

SOPS-Cop

Go Version CI Tests

SOPS-Cop is a CLI tool to enforce SOPS encryption rules without requiring the SOPS binary or encryption keys; designed for commit hooks and CI jobs.

How it works

  • Discovers your existing SOPS configuration and verifies encryption rules are followed.
  • Supports YAML, JSON, ENV, and INI files when matched by .sops.yaml creation rules.
  • Reports each unencrypted key path to stderr with file path and location details (line:column for YAML; path-only fallback for other formats).

Exit codes

  • 0: all checked values are encrypted
  • 2: invalid arguments (for example, unresolvable target path)
  • 3: file read error (for example, file missing or permission denied)
  • 4: invalid input for the matched file format (YAML/JSON/ENV/INI)
  • 5: one or more unencrypted values were found
  • 6: .sops.yaml config error (for example, invalid regex)

Requirements

  • Go 1.26+

If you install from release binaries, Go is not required.

Install

Option 1: go install

go install github.com/binbashing/sops-cop@latest

Option 2: prebuilt release binary (no Go required)

Download the correct binary from the GitHub Releases page for your OS/arch and place sops-cop on your PATH.

Build

go build -o sops-cop .

Usage

./sops-cop

Or start from any path inside the project:

./sops-cop -target path/to/any/subdir

Print version:

./sops-cop -version

Help:

./sops-cop -h

Examples

Encrypted YAML (ok.yaml):

apiVersion: ENC[AES256_GCM,data:abc]
kind: ENC[AES256_GCM,data:def]
spec:
  db:
    password: ENC[AES256_GCM,data:ghi]
sops:
  version: 3.9.0

Run from anywhere in that repo:

./sops-cop -target ./secrets
# exit code: 0

Unencrypted YAML (bad.yaml):

spec:
  db:
    password: plaintext

Run:

./sops-cop -target .
# stderr:
# /path/to/repo/secrets/bad.yaml:3:15: unencrypted value found at 'spec.db.password'
# exit code: 5

Test

go test ./...
go vet ./...

CI

GitHub Actions runs tests on push and pull request via:

  • .github/workflows/ci.yml

Dependency updates

Dependabot is configured via .github/dependabot.yml to open weekly PRs for:

  • Go modules (gomod)
  • Docker base images (Dockerfile)
  • GitHub Actions workflow dependencies

Project structure

  • main.go: CLI entrypoint and YAML validation logic
  • config.go: .sops.yaml loading and rule matching
  • main_test.go: table-driven unit tests
  • .sops.yaml: example SOPS config for the included fixture
  • secrets.example.yaml: example encrypted Kubernetes Secret
  • go.mod / go.sum: module and dependency locks

Design notes

  • Uses the SOPS library (github.com/getsops/sops/v3) for config parsing, rule matching, and encryption path selection — ensuring exact behavioral parity with SOPS.
  • Uses gopkg.in/yaml.v3 node traversal for line:column error reporting.
  • Keeps implementation in a single executable package for simplicity and portability.
  • Follows fail-fast CLI behavior with deterministic exit codes for CI/pipeline integration.

About

Simple tool for enforcing SOPS secret encryption

Topics

security secret-management cicd devsecops sops commithooks

Resources

Readme

License

Apache-2.0 license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases 10

v0.3.5 Latest
Mar 3, 2026
+ 9 releases

Packages

 
 
 

Contributors

Languages