Utility to ensure SOPS secrets are encrypterd.
Project description
IsOPS: Is OPerations Secure
__/\\\\\\\\\\\____________________/\\\\\_______/\\\\\\\\\\\\\_______/\\\\\\\\\\\___
_\/////\\\///___________________/\\\///\\\____\/\\\/////////\\\___/\\\/////////\\\_
_____\/\\\____________________/\\\/__\///\\\__\/\\\_______\/\\\__\//\\\______\///__
_____\/\\\______/\\\\\\\\\\__/\\\______\//\\\_\/\\\\\\\\\\\\\/____\////\\\_________
_____\/\\\_____\/\\\//////__\/\\\_______\/\\\_\/\\\/////////_________\////\\\______
_____\/\\\_____\/\\\\\\\\\\_\//\\\______/\\\__\/\\\_____________________\////\\\___
_____\/\\\_____\////////\\\__\///\\\__/\\\____\/\\\______________/\\\______\//\\\__
__/\\\\\\\\\\\__/\\\\\\\\\\____\///\\\\\/_____\/\\\_____________\///\\\\\\\\\\\/___
_\///////////__\//////////_______\/////_______\///________________\///////////_____
IsOPS (Is OPerations Secure) is a minimal command line utility that helps you ensure that your secrets are encrypted correctly with sops before committing them. isops
will read your configuration files, will scan all your secrets and alerts you if it finds any key that should be encrypted but it's not.
CLI
user@laptop:~$ isops
Usage: isops [OPTIONS] PATH
Top level command.
Options:
-h, --help Show this message and exit.
--version Show the version and exit.
--config-regex TEXT The regex that matches all the config files to use.
[required]
You must provide a directory to scan and a regex that matches all the sops configuration files.
How it works?
isops
is called with a directory and a regex. Then:
- It finds the config files using the provided regex.
- For each rule in
creation_rules
it finds the files according to thepath_regex
. - For each file found,
isops
scans all the keys, no matter how nested the yaml is, in search for those keys that match theencrypted_regex
. - For each matched key, it checks if the associated value matches the sops regex
"^ENC\[AES256_GCM,data:(.+),iv:(.+),tag:(.+),type:(.+)\]"
.
If the config file doesn't provide a path_regex
or a encrypted_regex
, the default values are, respectively, "\.ya?ml$"
and ""
.
Usage example
Suppose you have this situation:
example
├── .sops.yaml
└── secret.yaml
A .sops.yaml
:
creation_rules:
- path_regex: (.*)?secret.yaml$
encrypted_regex: "^(data|stringData)$"
pgp: "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4"
and a secret.yaml
:
apiVersion: v1
data:
key: aGhkZDg4OGRoODRmaDQ4ZmJlbnNta21rbHdtc2k4
kind: Secret
metadata:
name: api-key
type: Opaque
If you run isops
you get a warning because your secret is not encrypted:
user@laptop:~$ isops ./example --config-regex .sops.yaml
Found config file: example/.sops.yaml
example/secret.yaml::key [UNSAFE]
user@laptop:~$ echo $?
1
If the same secret is encrypted with sops:
apiVersion: v1
data:
key: ENC[AES256_GCM,data:iCBh27Ort/dNVhP9D4y/AqI5d78U+2EHtHPX9u0/s9ANhA2VeqKSOQ==,iv:HkQVUgB6nvN3TU355K/PTU2NroahHAdoJhzJdgZFMwo=,tag:ayNppVmYJ/MLGrW9RtjV1A==,type:str]
kind: Secret
metadata:
name: api-key
type: Opaque
sops:
etc...
then isops
will give you the green light:
user@laptop:~$ isops ./example --config-regex .sops.yaml
Found config file: example/.sops.yaml
example/secret.yaml::key [SAFE]
user@laptop:~$ echo $?
0
Another example
You can have a more complicated scenario where there are multiple sops configuration files, multiple environments and lots of secrets.
Suppose you have this situation:
example
├── .sops
│ ├── sops-dev.yaml
│ └── sops-prod.yaml
├── dev
│ ├── api-key-secret.yaml <- Encrypted
│ ├── db-password-secret.yaml <- Encrypted
│ ├── deployment.yaml
│ └── service.yaml
└── prod
├── api-key-secret.yaml <- Not encrypted!
├── db-password-secret.yaml <- Encrypted
├── deployment.yaml
└── service.yaml
Then if you run isops
you get:
user@laptop:~$ isops example --config-regex "example/.sops/(.*).yaml$"
Found config file: example/.sops/sops-dev.yaml
Found config file: example/.sops/sops-prod.yaml
example/dev/db-password-secret.yaml::password [SAFE]
example/dev/api-key-secret.yaml::key [SAFE]
example/prod/db-password-secret.yaml::password [SAFE]
example/prod/api-key-secret.yaml::key [UNSAFE]
The previous example can be found in the example
directory. The sample application was generated by ChatGPT with the prompt: "Please, generate an example Kubernetes application with two secrets".
License
This project is licensed under the MIT License - see the LICENSE file for details.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.