sops-cop

command module
v0.3.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 3, 2026 License: Apache-2.0 Imports: 16 Imported by: 0

README

SOPS-Cop

Go Version CI Tests

SOPS-Cop is a CLI tool to enforce SOPS encryption rules without requiring the SOPS binary or encryption keys; designed for commit hooks and CI jobs.

How it works

  • Discovers your existing SOPS configuration and verifies encryption rules are followed.
  • Supports YAML, JSON, ENV, and INI files when matched by .sops.yaml creation rules.
  • Reports each unencrypted key path to stderr with file path and location details (line:column for YAML; path-only fallback for other formats).

Exit codes

  • 0: all checked values are encrypted
  • 2: invalid arguments (for example, unresolvable target path)
  • 3: file read error (for example, file missing or permission denied)
  • 4: invalid input for the matched file format (YAML/JSON/ENV/INI)
  • 5: one or more unencrypted values were found
  • 6: .sops.yaml config error (for example, invalid regex)

Requirements

  • Go 1.26+

If you install from release binaries, Go is not required.

Install

Option 1: go install
go install github.com/binbashing/sops-cop@latest
Option 2: prebuilt release binary (no Go required)

Download the correct binary from the GitHub Releases page for your OS/arch and place sops-cop on your PATH.

Build

go build -o sops-cop .

Usage

./sops-cop

Or start from any path inside the project:

./sops-cop -target path/to/any/subdir

Print version:

./sops-cop -version

Help:

./sops-cop -h

Examples

Encrypted YAML (ok.yaml):

apiVersion: ENC[AES256_GCM,data:abc]
kind: ENC[AES256_GCM,data:def]
spec:
  db:
    password: ENC[AES256_GCM,data:ghi]
sops:
  version: 3.9.0

Run from anywhere in that repo:

./sops-cop -target ./secrets
# exit code: 0

Unencrypted YAML (bad.yaml):

spec:
  db:
    password: plaintext

Run:

./sops-cop -target .
# stderr:
# /path/to/repo/secrets/bad.yaml:3:15: unencrypted value found at 'spec.db.password'
# exit code: 5

Test

go test ./...
go vet ./...

CI

GitHub Actions runs tests on push and pull request via:

  • .github/workflows/ci.yml

Dependency updates

Dependabot is configured via .github/dependabot.yml to open weekly PRs for:

  • Go modules (gomod)
  • Docker base images (Dockerfile)
  • GitHub Actions workflow dependencies

Project structure

  • main.go: CLI entrypoint and YAML validation logic
  • config.go: .sops.yaml loading and rule matching
  • main_test.go: table-driven unit tests
  • .sops.yaml: example SOPS config for the included fixture
  • secrets.example.yaml: example encrypted Kubernetes Secret
  • go.mod / go.sum: module and dependency locks

Design notes

  • Uses the SOPS library (github.com/getsops/sops/v3) for config parsing, rule matching, and encryption path selection — ensuring exact behavioral parity with SOPS.
  • Uses gopkg.in/yaml.v3 node traversal for line:column error reporting.
  • Keeps implementation in a single executable package for simplicity and portability.
  • Follows fail-fast CLI behavior with deterministic exit codes for CI/pipeline integration.

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.