Ansible-lint - Ensure encrytion of Vault Files *vault.yml or *vault.yaml

It would be nice to have an ansible-lint check that raise an error if unencrypted ansible-vault files are present.

In my applications I use the file naming convention *vault.yml or *vault.yaml to mark ansible-vault files.

The test could be that the first line in file must contain the string ‘$ANSIBLE_VAULT;’.

Is it possible to get such linting functionality implemented?

file: test-vault.yml

$ANSIBLE_VAULT;1.1;AES256
61653561323038376533663939623239626464623034656239303465373463383139363434633936
3961646165636637626431333365376665323630303430350a383331393530613234653062373935
33333736336438626266346331333866366662656337626666316565646337333361633231336439
3162313330633034370a356464323031323765643038623264333962396661623033336163626237
66663236636133336131623330336264373863386163643631666661393165333736376439326565
39303335383764653866636233663638326466663831383331393538346237666633383233353535
33386463646364623639643037616231363334623765336339376634383733376466336663346265
3833356436386262363164393737356435353538346461653131

Ensure encrytion of Vault Files *vault.yml or *vault.yaml

There is no such thing as an “unencrypted ansible-vault file”. Ansible does not enforce any naming conventions on vars files, vault-encrypted or otherwise.

Like Gaffney says, Ansible doesn’t know or care about whether a file is a vault or not. This is something that has typically been punted to being solved at the SCM layer like git hooks to take your convention and looking to see if the first line of the suspected vault file has been vaulted.