These scripts are designed to be used as a pre-receive or update hook on a git server. The context is an Ansible project in which sensitive data is encrypted using Ansible vault, and with a convention that all encrypted files have the .vault extension. The python script (abort-sensitive-files.py) verifies that:
- Every file encrypted with Ansible vault has a name ending with .vault.
- Every file with a name ending with .vault is ecnrypted with Ansible vault.
- No file contains an RSA private key in plaintext.
It's called by the bash script abort-sensitive-files.sh, which will have to be renamed to 'pre-receive' or 'update' and placed in the appropriate place in the git server.
NOTE: These scripts haven't been extensively tested. In fact, they're here because I couldn't use them on a project using BitBucket Cloud, because as of the time of this writing BitBucket cloud doesn't support server-side pre-receive or update hooks.