Created
March 4, 2020 19:07
-
-
Save saumets/0ba33b6d0ece8a3f156e321a1eb2d0c1 to your computer and use it in GitHub Desktop.
Ansible vault secrets pre commit git hook
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# | |
# Ansible Vault Secrets Git Hook | |
# | |
# Hook to check if an un-encrypted FILE_PATTERN file is being commited. Useful if secrets | |
# are retained in ansible vault encrypted file(s) that should never be committed to the repository | |
# un-encrypted. Contact a repository owner for the ansible vault password. | |
# | |
# set -o xtrace | |
set -o nounset | |
FILE_PATTERN=".env.yml" | |
ENCRYPTED_PATTERN="\$ANSIBLE_VAULT" | |
is_encrypted() { | |
local file=$1 | |
if ! git show :"$file" | grep --quiet "^${ENCRYPTED_PATTERN}"; then | |
echo "Located a staged file that should be encrypted:\n> ${file}\n" | |
echo "Please un-stage this file. If you are adding or updating this file, please encrypt it before staging." | |
echo "Alternatively, you can git checkout the latest encrypted version of the file before committing.\n" | |
echo "Remember... Only YOU Can Prevent Secret Leakage." | |
exit 1 | |
fi | |
} | |
echo "Running pre-commit checks..." | |
git diff --cached --name-only | grep "${FILE_PATTERN}" | while IFS= read -r line; do | |
is_encrypted "${line}" | |
done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If you file gets deleted ever the check fails.