Skip to content

Add sops config subcommand to print matched .sops.yaml rules as JSON#2190

Open
djgoku wants to merge 3 commits into
getsops:mainfrom
djgoku:feat/config-subcommand
Open

Add sops config subcommand to print matched .sops.yaml rules as JSON#2190
djgoku wants to merge 3 commits into
getsops:mainfrom
djgoku:feat/config-subcommand

Conversation

@djgoku
Copy link
Copy Markdown

@djgoku djgoku commented May 23, 2026
edited
Loading

Summary

sops config <file> prints the .sops.yaml rules (creation and
destination) that apply to a given file path, as JSON. Useful for
previewing which keys would encrypt a file, debugging which path_regex
rule wins, and tooling integration. Only the path is used — the file
does not need to exist on disk.

Example

$ sops config example.yaml
{
  "schema_version": 1,
  "config_path": "/path/to/sops/.sops.yaml",
  "file_path": "/path/to/sops/example.yaml",
  "creation_rules": [
    {
      "rule_index": 0,
      "path_regex": "",
      "pgp": [
        "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4",
        "D7229043384BCC60326C6FB9D8720D957C3D3074"
      ],
      "shamir_threshold": 0,
      "unencrypted_suffix": "",
      "encrypted_suffix": "",
      "unencrypted_regex": "",
      "encrypted_regex": "",
      "unencrypted_comment_regex": "",
      "encrypted_comment_regex": "",
      "mac_only_encrypted": false
    }
  ],
  "destination_rules": []
}

With --require-match, exits with new codes.NoRulesMatched (62) when
no rule applies, while still printing the empty JSON.

Related

Partially addresses #1758 — the no-match case is now introspectable via
sops config even though filestatus itself is unchanged.

djgoku added 3 commits May 23, 2026 12:45
@djgoku
Add MatchRulesForFile and supporting types in the config package.
d77bc13 
A pure, file-IO-free helper that returns which creation_rule and
destination_rule from .sops.yaml apply to a given absolute file path.
Mirrors parseCreationRuleForFile's first-match-wins semantics; uses
filepath.Rel for platform-aware path normalization. Also adds
NoRulesMatched (62) to the codes package for an upcoming
'sops config --require-match' flag.
@djgoku
Add 'sops config' subcommand to print matched .sops.yaml rules as JSON.
08d8070 
Wraps MatchRulesForFile and emits a versioned JSON view (schema_version:
1) of the creation_rule and destination_rule that apply to a given file.
The --require-match flag exits with codes.NoRulesMatched (62) when no
rule applies while still printing the empty result. Output omits dead
recipient fields when key_groups is set (sops's parser uses one or the
other), and splits Azure Key Vault URLs into vaultUrl/key/version to
match azkv.NewMasterKeyFromURL's parsing.
@djgoku
Add integration tests for 'sops config' path handling.
6db5cfc 
Exercises path normalization through Run using t.TempDir() fixtures:
absolute paths inside/outside the config tree, nested subdirs,
non-existent paths, and the --config override. Includes a contract
test pinning codes.NoRulesMatched to 62.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@djgoku