From f3bef9dfb164584bcd75292feba65cfe2fffce5c Mon Sep 17 00:00:00 2001 From: vaultsovereign Date: Wed, 17 Dec 2025 15:24:01 +0000 Subject: [PATCH] Add CI secret tripwire and vault guard --- .gitlab-ci.yml | 36 ++++++++++++++++++++++++++++++++++++ vault/README.md | 12 ++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 .gitlab-ci.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..74ed9aa --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,36 @@ +stages: [verify] + +verify:no_secrets: + stage: verify + image: alpine:latest + script: + - apk add --no-cache git grep + + # Global secret scan (cheap but effective) + - | + set +e + secret_re='(BEGIN (RSA|OPENSSH|EC) PRIVATE KEY|-----BEGIN PGP PRIVATE KEY BLOCK-----|aws_secret_access_key|AKIA[0-9A-Z]{16}|xox[baprs]-[0-9A-Za-z-]{10,}|ghp_[A-Za-z0-9]{36}|glpat-[A-Za-z0-9_-]{20,})' + git grep -nE "$secret_re" -- . + status=$? + set -e + + if [ "$status" -eq 0 ]; then + echo "❌ Potential secret detected. Remove it or encrypt it into vault/." + exit 1 + elif [ "$status" -ne 1 ]; then + echo "❌ Secret scan failed (git grep exit $status)." + exit "$status" + fi + + # Vault plaintext guard (tracked files only) + - | + set -eu + + allowed_vault_re='(^vault/README\.md$|^vault/\.gitkeep$|^vault/tmp/\.gitignore$|\.age$|\.sops\.)' + bad_vault_files="$(git ls-files vault | grep -vE "$allowed_vault_re" || true)" + + if [ -n "$bad_vault_files" ]; then + echo "❌ Plaintext file detected in vault/. Encrypt before commit:" + echo "$bad_vault_files" + exit 1 + fi diff --git a/vault/README.md b/vault/README.md index f6cd3cb..536d48b 100644 --- a/vault/README.md +++ b/vault/README.md @@ -10,3 +10,15 @@ Rules: Decryption/working material belongs in `vault/tmp/` (gitignored) and should be wiped after use. +## Allowed files + +The vault is for ciphertext, plus documentation. + +Allowed: + +- `*.age` +- `*.sops.*` +- `README.md` +- `.gitkeep` (if used) + +Anything else under `vault/` is treated as plaintext and is blocked by CI.