bagelhole/sops-encryption
security/secrets/sops-encryption/SKILL.md
Encrypt files and configs with Mozilla SOPS. Integrate with AWS KMS, GCP KMS, or PGP for key management. Use when encrypting configuration files, Kubernetes secrets, or implementing GitOps with encrypted secrets.
$ install --global
skillsauthnpx skillsauth add bagelhole/devops-security-agent-skills sops-encryptionInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 3, 2026, 5:06 PM5.5s1 file scanned
SKILL.md
- name:
- sops-encryption
- description:
- Encrypt files and configs with Mozilla SOPS. Integrate with AWS KMS, GCP KMS, or PGP for key management. Use when encrypting configuration files, Kubernetes secrets, or implementing GitOps with encrypted secrets.
- license:
- MIT
- author:
- devops-skills
- version:
- 1.0
SOPS Encryption
Encrypt secrets in configuration files while keeping structure visible.
When to Use This Skill
Use this skill when:
- Encrypting secrets in Git
- Implementing GitOps with secrets
- Managing Kubernetes secrets as code
- Encrypting configuration files
Prerequisites
- SOPS installed
- KMS access (AWS, GCP, Azure) or PGP key
Installation
# macOS
brew install sops
# Linux
wget https://github.com/getsops/sops/releases/download/v3.8.0/sops-v3.8.0.linux.amd64
chmod +x sops-v3.8.0.linux.amd64
mv sops-v3.8.0.linux.amd64 /usr/local/bin/sops
Basic Usage
# Encrypt with AWS KMS
sops --encrypt --kms arn:aws:kms:region:account:key/key-id secrets.yaml > secrets.enc.yaml
# Decrypt
sops --decrypt secrets.enc.yaml
# Edit encrypted file
sops secrets.enc.yaml
# Encrypt in place
sops --encrypt --in-place secrets.yaml
Configuration
# .sops.yaml
creation_rules:
- path_regex: .*\.prod\.yaml$
kms: arn:aws:kms:us-east-1:account:key/prod-key
- path_regex: .*\.dev\.yaml$
kms: arn:aws:kms:us-east-1:account:key/dev-key
- path_regex: .*
pgp: fingerprint
Kubernetes Integration
# encrypted secret
apiVersion: v1
kind: Secret
metadata:
name: myapp-secrets
type: Opaque
stringData:
password: ENC[AES256_GCM,data:encrypted...]
sops:
kms:
- arn: arn:aws:kms:region:account:key/key-id
# With ArgoCD
# Install ksops plugin for ArgoCD to decrypt secrets
Best Practices
- Store .sops.yaml in repository
- Use different keys per environment
- Rotate encryption keys regularly
- Never commit unencrypted secrets
- Use key aliases for readability
Related Skills
- hashicorp-vault - Centralized secrets
- argocd-gitops - GitOps integration
Related Skills
bagelhole/sre-dashboards
development
VerifiedTrustedCommunity
Design and operationalize SRE dashboards that surface reliability, latency, error, saturation, and capacity signals across services. Use when building observability views for SLOs, incident response, and executive reliability reporting.
28SKILL.mdUpdated May 23, 2026
bagelhole/openclaw-security-hardening
testing
VerifiedTrustedCommunity
Harden OpenClaw self-hosted environments with baseline host controls, auth tightening, secret handling, network segmentation, and safe update/rollback workflows. Use when deploying OpenClaw in home labs, startups, or production-like local AI infrastructure.
28SKILL.mdUpdated Apr 3, 2026
bagelhole/vector-database-ops
devops
VerifiedTrustedCommunity
Deploy, manage, and optimize vector databases for AI applications. Covers Qdrant, Weaviate, pgvector, and Pinecone — collection management, indexing strategies, backup, and performance tuning for production RAG and semantic search workloads.
28SKILL.mdUpdated Apr 3, 2026
bagelhole/model-serving-kubernetes
testing
VerifiedTrustedCommunity
Deploy ML models on Kubernetes with KServe (formerly KFServing) and NVIDIA Triton Inference Server. Includes canary deployments, autoscaling, model versioning, A/B testing, and GPU resource management for production model serving.
28SKILL.mdUpdated Apr 3, 2026