Only check suffix of SOPS encrypted secrets

viaduct-ai · Nov 20, 2019 · 1dc4427 · 1dc4427
1 parent 3f4432c
commit 1dc4427
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 10 deletions.
diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml
@@ -8,13 +8,13 @@
 - id: validate_secrets_are_encrypted
   name: Check that secret files are formatted correctly
   description: Check yaml secret have data in the 'sops' field
-  entry: validate_secrets_are_encrypted 
+  entry: validate_secrets_are_encrypted
   language: python
   types: [yaml]
 
 - id: validate_encrypted_secret_name
   name: Check secret files for correct ending
-  description: Check yaml secret files end in .enc.yaml
+  description: Check yaml SOPS encrypted secret files end in .enc.yaml
   entry: validate_encrypted_secret_name
   language: python
   types: [yaml]
diff --git a/pre_commit_hooks/validate_encrypted_secret_name.py b/pre_commit_hooks/validate_encrypted_secret_name.py
@@ -7,6 +7,8 @@
 import yaml
 
 
+ENC_SUFFIX =  ".enc.yaml"
+
 def main(argv=None):
     parser = argparse.ArgumentParser()
     parser.add_argument(
@@ -27,10 +29,14 @@ def main(argv=None):
                 data = yaml.safe_load(f)
 
                 kind = data.get("kind", None)
-                if kind == 'Secret':
-                    if not filename.endswith('enc.yaml'):
-                        print(f"Secret file doesn't end correctly: {filename}")
-                        retval = 1
+
+                # Only check encrypted secrets
+                if kind != 'Secret' or 'sops' not in data:
+                    continue
+
+                if not filename.endswith(ENC_SUFFIX):
+                    print(f"SOPS encrypted secrets should end with {ENC_SUFFIX}: {filename}")
+                    retval = 1
             except:
                 continue
 

diff --git a/pre_commit_hooks/validate_secrets_are_encrypted.py b/pre_commit_hooks/validate_secrets_are_encrypted.py
@@ -27,10 +27,10 @@ def main(argv=None):
                 data = yaml.safe_load(f)
 
                 kind = data.get("kind", None)
-                if kind == 'Secret':
-                    if 'sops' not in data:
-                        print(f'Sops not defined: {filename}')
-                        retval = 1
+
+                if kind == 'Secret' and 'sops' not in data:
+                    print(f'Secret is not encrypted with SOPS: {filename}')
+                    retval = 1
             except:
                 continue