-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmakefile
More file actions
81 lines (77 loc) · 2.22 KB
/
makefile
File metadata and controls
81 lines (77 loc) · 2.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
.PHONY: sops-encrypt sops-decrypt sops-ci kics
sops-encrypt:
@echo "Encrypting with SOPS..."; \
if [ -n "$(FILE)" ]; then \
if [ -f "$(FILE)" ] && [ "$${FILE##*.}" != "sops" ]; then \
FILES="$(FILE)"; \
elif [ -f "$(FILE)" ] && [ "$${FILE##*.}" = "sops" ]; then \
base="$${FILE%.sops}"; \
if [ -f "$$base" ]; then \
FILES="$$base"; \
else \
echo "Error: plaintext $$base not found for $(FILE)" >&2; \
exit 1; \
fi; \
elif [ -f "$(FILE).sops" ]; then \
base="$(FILE)"; \
if [ -f "$$base" ]; then \
FILES="$$base"; \
else \
echo "Error: plaintext $$base not found (got $(FILE).sops)" >&2; \
exit 1; \
fi; \
else \
echo "Error: $(FILE) not found" >&2; \
exit 1; \
fi; \
else \
FILES="$$(find . -name "*.secrets.*" -type f ! -name "*.sops")"; \
fi; \
for file in $$FILES; do \
echo "Encrypting $$file..."; \
sops --output-type json --encrypt "$$file" > "$$file.sops"; \
done
sops-decrypt:
@echo "Decrypting with SOPS..."; \
if [ -n "$(FILE)" ]; then \
if [ -f "$(FILE)" ]; then \
FILES="$(FILE)"; \
elif [ -f "$(FILE).sops" ]; then \
FILES="$(FILE).sops"; \
else \
echo "Error: $(FILE) or $(FILE).sops not found" >&2; \
exit 1; \
fi; \
else \
FILES="$$(find . -name "*.secrets.*.sops" -type f)"; \
fi; \
for file in $$FILES; do \
echo "Decrypting $$file..."; \
base="$${file%.sops}"; \
ext="$${base##*.}"; \
case "$$ext" in \
yaml|yml) output_type="yaml" ;; \
*) output_type="binary" ;; \
esac; \
if [ -f "$$base" ]; then \
chmod +w "$$base"; \
fi; \
sops --decrypt --output-type "$$output_type" "$$file" > "$$base"; \
chmod -w "$$base"; \
done
sops-ci:
@echo "Checking for unencrypted secrets tracked by git..."; \
FILES="$$(find . -name '*.secrets.*' ! -name '*.secrets.*.sops' -type f)"; \
EXIT=0; \
for file in $$FILES; do \
if git ls-files --error-unmatch "$$file" >/dev/null 2>&1; then \
echo "Error: Unencrypted secrets file tracked by git: $$file" >&2; \
EXIT=1; \
fi; \
done; \
if [ $$EXIT -ne 0 ]; then \
echo "One or more unencrypted secrets files are tracked by git. Please remove them from version control." >&2; \
exit 1; \
fi
kics:
docker run -t -v $(PWD):/path checkmarx/kics:latest scan -p /path