NiklasRosenstein · June 4, 2025 20:28
diff --git a/sops.schema.yaml b/sops.schema.yaml
 {
  "$schema": "http://json-schema.org/draft-07/schema#",
  "title": "SOPS Configuration File",
  "description": "Schema for the .sops.yaml file, defining encryption rules for SOPS.",
  "type": "object",
  "properties": {
    "creation_rules": {
      "type": "array",
      "description": "A list of rules to apply when creating new SOPS encrypted files. Rules are evaluated sequentially, and the first match wins.",
      "items": {
        "type": "object",
        "properties": {
          "path_regex": {
            "type": "string",
            "description": "A regular expression that matches the path of the file relative to the .sops.yaml file. If omitted, the rule acts as a catch-all."
          },
          "encrypted_regex": {
            "type": "string",
            "description": "A regular expression to match keys that should be encrypted. If a key matches this regex, its value will be encrypted. By default, everything is encrypted except for the 'sops' key."
          },
          "kms": {
            "type": "string",
            "description": "Comma-separated list of AWS KMS ARN(s) to use for encryption. Each ARN can optionally be followed by '+<IAM Role ARN>' to specify an IAM role to assume."
          },
          "pgp": {
            "type": "string",
            "description": "Comma-separated list of PGP fingerprints to use for encryption. Append '!' to a fingerprint to force GnuPG to use a specific subkey."
          },
          "age": {
            "type": "string",
            "description": "Comma-separated list of age recipients (public keys) to use for encryption."
          },
          "gcp_kms": {
            "type": "string",
            "description": "GCP KMS Resource ID to use for encryption."
          },
          "azure_kv": {
            "type": "string",
            "description": "Azure Key Vault key identifier (URL) to use for encryption."
          },
          "hc_vault_transit_uri": {
            "type": "string",
            "description": "HashiCorp Vault Transit URI to use for encryption. This should include the Vault address, path to the transit engine, and key name (e.g., http://localhost:8200/v1/sops/keys/firstkey)."
          }
        },
        "additionalProperties": false
      }
    }
  },
  "additionalProperties": false
 }
	{
	"$schema": "http://json-schema.org/draft-07/schema#",
	"title": "SOPS Configuration File",
	"description": "Schema for the .sops.yaml file, defining encryption rules for SOPS.",
	"type": "object",
	"properties": {
	"creation_rules": {
	"type": "array",
	"description": "A list of rules to apply when creating new SOPS encrypted files. Rules are evaluated sequentially, and the first match wins.",
	"items": {
	"type": "object",
	"properties": {
	"path_regex": {
	"type": "string",
	"description": "A regular expression that matches the path of the file relative to the .sops.yaml file. If omitted, the rule acts as a catch-all."
	},
	"encrypted_regex": {
	"type": "string",
	"description": "A regular expression to match keys that should be encrypted. If a key matches this regex, its value will be encrypted. By default, everything is encrypted except for the 'sops' key."
	},
	"kms": {
	"type": "string",
	"description": "Comma-separated list of AWS KMS ARN(s) to use for encryption. Each ARN can optionally be followed by '+<IAM Role ARN>' to specify an IAM role to assume."
	},
	"pgp": {
	"type": "string",
	"description": "Comma-separated list of PGP fingerprints to use for encryption. Append '!' to a fingerprint to force GnuPG to use a specific subkey."
	},
	"age": {
	"type": "string",
	"description": "Comma-separated list of age recipients (public keys) to use for encryption."
	},
	"gcp_kms": {
	"type": "string",
	"description": "GCP KMS Resource ID to use for encryption."
	},
	"azure_kv": {
	"type": "string",
	"description": "Azure Key Vault key identifier (URL) to use for encryption."
	},
	"hc_vault_transit_uri": {
	"type": "string",
	"description": "HashiCorp Vault Transit URI to use for encryption. This should include the Vault address, path to the transit engine, and key name (e.g., http://localhost:8200/v1/sops/keys/firstkey)."
	}
	},
	"additionalProperties": false
	}
	}
	},
	"additionalProperties": false
	}