Feature request: encryption (or failure) based on entropy

Open cgetzen opened this issue 1 year ago • 0 comments

https://github.com/getsops/sops?tab=readme-ov-file#encrypting-only-parts-of-a-file has many ways to partially encrypt files.

One risk is that the regex, prefix, or postfix doesn't account for new secrets, causing them to mistakenly be committed in plaintext.

I'd like for sops to either:

encrypt data that looks like a secret, regardless of its key
cause a failure when a secret-looking string is not encrypted (with a corresponding --ignore flag)

https://github.com/Yelp/detect-secrets has some definitions of entropy that could be useful references: Base64HighEntropyString and HexHighEntropyString.

Jul 12 '24 21:07 cgetzen