35 lines
1.1 KiB
Bash
Executable file
35 lines
1.1 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
#
|
|
# Pre-commit guard: fail if a file named vault.yml holds plaintext secrets.
|
|
#
|
|
# A vault.yml is allowed only if it is either:
|
|
# - ansible-vault encrypted (first line starts with `$ANSIBLE_VAULT`), or
|
|
# - a placeholder with no real content (comments / blank lines / `---` only).
|
|
#
|
|
# It fails when an unencrypted vault.yml contains actual key: value content, which
|
|
# is almost always an accidental plaintext secret. Encrypt it with:
|
|
# make encrypt FILE=<path>
|
|
#
|
|
set -euo pipefail
|
|
|
|
status=0
|
|
for f in "$@"; do
|
|
[ -f "$f" ] || continue
|
|
|
|
# Encrypted — always fine.
|
|
if head -n1 "$f" | grep -q '^\$ANSIBLE_VAULT'; then
|
|
continue
|
|
fi
|
|
|
|
# Unencrypted — allowed only if there is no real content. "Real content" is any
|
|
# line that is not blank, not a comment, and not the YAML document marker `---`.
|
|
content=$(grep -vE '^\s*(#|---\s*$|$)' "$f" || true)
|
|
if [ -n "$content" ]; then
|
|
echo "ERROR: $f is not ansible-vault encrypted but contains plaintext content:" >&2
|
|
printf '%s\n' "$content" | sed 's/^/ /' >&2
|
|
echo " Encrypt it with: make encrypt FILE=$f" >&2
|
|
status=1
|
|
fi
|
|
done
|
|
|
|
exit $status
|