40 lines
1.3 KiB
YAML
40 lines
1.3 KiB
YAML
stages: [verify]
|
|
|
|
verify:no_secrets:
|
|
stage: verify
|
|
image: alpine:latest
|
|
script:
|
|
- apk add --no-cache git grep
|
|
|
|
# Global secret scan (cheap but effective)
|
|
- |
|
|
set +e
|
|
secret_re='(-----BEGI[N] (RSA|OPENS[S]H|EC) PRIV[A]TE KEY-----|-----BEGI[N] ENCR[Y]PTED PRIV[A]TE KEY-----|-----BEGI[N] PRIV[A]TE KEY-----|-----BEGI[N] PGP PRIV[A]TE KEY BLOC[K]-----|aws_secret_access_[k]ey|AKI[A][0-9A-Z]{16}|xox[baprs]-[0-9A-Za-z-]{10,}|gh[p]_[A-Za-z0-9]{36}|glp[a]t-[A-Za-z0-9_-]{20,})'
|
|
matches="$(git grep -lE "$secret_re" -- . ':!vault/**')"
|
|
status=$?
|
|
set -e
|
|
|
|
if [ "$status" -eq 0 ]; then
|
|
echo "❌ Potential secret detected in:"
|
|
echo "$matches"
|
|
echo
|
|
echo "Remove it or encrypt it into vault/."
|
|
exit 1
|
|
elif [ "$status" -ne 1 ]; then
|
|
echo "❌ Secret scan failed (git grep exit $status)."
|
|
exit "$status"
|
|
fi
|
|
|
|
# Vault plaintext guard (tracked files only)
|
|
- |
|
|
set -eu
|
|
|
|
allowed_vault_re='(^vault/README\.md$|^vault/\.gitkeep$|^vault/tmp/\.gitignore$|\.age$|\.sops\.)'
|
|
bad_vault_files="$(git ls-files vault | grep -vE "$allowed_vault_re" || true)"
|
|
|
|
if [ -n "$bad_vault_files" ]; then
|
|
echo "❌ Plaintext file detected in vault/. Encrypt before commit:"
|
|
echo "$bad_vault_files"
|
|
exit 1
|
|
fi
|