Pre-commit hook to stop accidentally committing unencrypted z2jh secrets to a repo

I’m a huge fan of using sops to keep encrypted secret config (like authentication keys, cookie secret keys, etc) in a github repository. This helps keep all config in one location, and allows fine-grained access to who can get access to the secrets. I do this in all my z2jh deployment repos - see datahub/deployments/datahub/secrets at staging · berkeley-dsep-infra/datahub · GitHub for example.

However, there is always the risk of accidentally commtiting a secret without encrypting it first! This can have tragic consequences, especially if it is something like an AWS secret key or a GCP service account JSON. Cloud providers usually do a good job revoking any creds found on GitHub immediately and automatically, but relying on that is not a good idea.

To protect against this, I’ve written a pre-commit hook that will test wether you are trying to commit unencrypted files, and fail at the git commit stage! Check it out at GitHub - yuvipanda/pre-commit-hook-ensure-sops: pre-commit hook to ensure that files that should be encrypted with sops are.

This work was inspired by @sgibson91 and @consideratio work on preventing this from happening via a very clever .gitignore file along with some conventions on file naming.

1 Like