A robust pre-commit hook that prevents accidentally committing unencrypted Ansible Vault files to your repository. This script acts as a safety mechanism when working with ansible-vault, ensuring sensitive data remains encrypted.
- Automatic Detection: Checks any file with
vaultin its filename (case-insensitive) - Robust File Handling: Properly handles filenames with spaces and special characters
- Pre-commit Integration: Seamlessly works with the pre-commit framework
- Shellcheck Validated: Passes shellcheck with no warnings
- Clear Feedback: Color-coded output for easy identification of issues
By default, the script checks any file with vault in its filename. It's recommended to include vault in the names of all files containing secrets for this check to work effectively.
- Bash: Version 4.0 or higher (uses arrays and modern bash features)
- Git: Any recent version
- grep: Standard GNU or BSD grep
- pre-commit (optional): For pre-commit framework integration
-
Install pre-commit via pip:
pip install pre-commit
-
Add to your
.pre-commit-config.yamlin your repository root:repos: - repo: https://github.com/brko7/pre-commit-hook-check-ansible-vault-encryption rev: v1.0.0 # Use the latest release tag hooks: - id: check-ansible-vault-encryption
-
Install the hook:
pre-commit install
-
(Optional) Run against all files to test:
pre-commit run --all-files
-
Clone this repository or download the script:
curl -o .git/hooks/pre-commit https://raw.githubusercontent.com/brko7/pre-commit-hook-check-ansible-vault-encryption/main/check_ansible_vault_encryption.sh
-
Make the script executable:
chmod +x .git/hooks/pre-commit
Once installed, the hook runs automatically before each commit:
git add vault_passwords.yml
git commit -m "Add passwords"✅ Encrypted vault (passes):
Vault 'ansible/vault_passwords.yml' is encrypted.
[main abc1234] Add passwords
1 file changed, 10 insertions(+)
❌ Unencrypted vault (fails):
Vault 'ansible/vault_passwords.yml' is not encrypted! Run 'ansible-vault encrypt ansible/vault_passwords.yml && git add ansible/vault_passwords.yml' and try again.
The hook checks any file with vault in its name (case-insensitive):
- ✅
vault_passwords.yml - ✅
group_vars/production/vault.yml - ✅
secrets_VAULT_file.txt - ✅
VAULT_credentials.json - ❌
passwords.yml(no "vault" in name)
A properly encrypted Ansible Vault file starts with:
$ANSIBLE_VAULT;1.1;AES256
66386439653765343264623132353534623566303535646461393437346136306561623762636566
...
To encrypt a file:
ansible-vault encrypt vault_passwords.ymlIf the hook doesn't run:
# Verify installation
pre-commit run --all-files
# Reinstall if needed
pre-commit clean
pre-commit installCheck your bash version:
bash --versionThis script requires Bash 4.0+. On macOS, you may need to install a newer version:
brew install bash--no-verify:
git commit --no-verify -m "Dangerous: bypasses encryption check"Never bypass this hook unless you're certain no sensitive data is being committed.
If you have a file with "vault" in the name that shouldn't be checked:
- Rename the file to not include "vault"
- Or exclude it in
.pre-commit-config.yaml:hooks: - id: check-ansible-vault-encryption exclude: 'path/to/false_positive.yml'
This project is licensed under the MIT License - see the LICENSE file for details.
If you encounter any issues or have questions, please open an issue on GitHub.