37 lines
1.1 KiB
YAML
37 lines
1.1 KiB
YAML
stages: [verify]
|
|
|
|
verify:no_secrets:
|
|
stage: verify
|
|
image: alpine:latest
|
|
script:
|
|
- apk add --no-cache git grep
|
|
|
|
# Global secret scan (cheap but effective)
|
|
- |
|
|
set +e
|
|
secret_re='(BEGIN (RSA|OPENSSH|EC) PRIVATE KEY|-----BEGIN PGP PRIVATE KEY BLOCK-----|aws_secret_access_key|AKIA[0-9A-Z]{16}|xox[baprs]-[0-9A-Za-z-]{10,}|ghp_[A-Za-z0-9]{36}|glpat-[A-Za-z0-9_-]{20,})'
|
|
git grep -nE "$secret_re" -- .
|
|
status=$?
|
|
set -e
|
|
|
|
if [ "$status" -eq 0 ]; then
|
|
echo "❌ Potential secret detected. Remove it or encrypt it into vault/."
|
|
exit 1
|
|
elif [ "$status" -ne 1 ]; then
|
|
echo "❌ Secret scan failed (git grep exit $status)."
|
|
exit "$status"
|
|
fi
|
|
|
|
# Vault plaintext guard (tracked files only)
|
|
- |
|
|
set -eu
|
|
|
|
allowed_vault_re='(^vault/README\.md$|^vault/\.gitkeep$|^vault/tmp/\.gitignore$|\.age$|\.sops\.)'
|
|
bad_vault_files="$(git ls-files vault | grep -vE "$allowed_vault_re" || true)"
|
|
|
|
if [ -n "$bad_vault_files" ]; then
|
|
echo "❌ Plaintext file detected in vault/. Encrypt before commit:"
|
|
echo "$bad_vault_files"
|
|
exit 1
|
|
fi
|