getsops · icholy · May 7, 2026
diff --git a/aes/cipher.go b/aes/cipher.go
@@ -35,7 +35,7 @@ const nonceSize int = 32
 
 type stashKey struct {
 	additionalData string
-	plaintext      interface{}
+	plaintext      any
 }
 
 // Cipher encrypts and decrypts data keys with AES GCM 256
@@ -77,7 +77,7 @@ func parse(value string) (*encryptedValue, error) {
 }
 
 // Decrypt takes a sops-format value string and a key and returns the decrypted value and a stash value
-func (c Cipher) Decrypt(ciphertext string, key []byte, additionalData string) (plaintext interface{}, err error) {
+func (c Cipher) Decrypt(ciphertext string, key []byte, additionalData string) (plaintext any, err error) {
 	if isEmpty(ciphertext) {
 		return "", nil
 	}
@@ -124,7 +124,7 @@ func (c Cipher) Decrypt(ciphertext string, key []byte, additionalData string) (p
 	return plaintext, err
 }
 
-func isEmpty(value interface{}) bool {
+func isEmpty(value any) bool {
 	switch value := value.(type) {
 	case string:
 		return value == ""
@@ -138,7 +138,7 @@ func isEmpty(value interface{}) bool {
 }
 
 // Encrypt takes one of (string, int, float, bool) and encrypts it with the provided key and additional auth data, returning a sops-format encrypted string.
-func (c Cipher) Encrypt(plaintext interface{}, key []byte, additionalData string) (ciphertext string, err error) {
+func (c Cipher) Encrypt(plaintext any, key []byte, additionalData string) (ciphertext string, err error) {
 	if isEmpty(plaintext) {
 		return "", nil
 	}

diff --git a/age/keysource.go b/age/keysource.go
@@ -227,7 +227,7 @@ func formatError(msg string, err error, errs errSet, unusedLocations []string) e
 		} else if count == 2 {
 			unusedSuffix = fmt.Sprintf("s '%s' and '%s'", unusedLocations[0], unusedLocations[1])
 		} else {
-			unusedSuffix = fmt.Sprintf("s '%s', and '%s'", strings.Join(unusedLocations[:count - 1], "', '"), unusedLocations[count - 1])
+			unusedSuffix = fmt.Sprintf("s '%s', and '%s'", strings.Join(unusedLocations[:count-1], "', '"), unusedLocations[count-1])
 		}
 		unusedSuffix = fmt.Sprintf(". Did not find keys in location%s.", unusedSuffix)
 	}
@@ -282,8 +282,8 @@ func (key *MasterKey) ToString() string {
 }
 
 // ToMap converts the MasterKey to a map for serialization purposes.
-func (key *MasterKey) ToMap() map[string]interface{} {
-	out := make(map[string]interface{})
+func (key *MasterKey) ToMap() map[string]any {
+	out := make(map[string]any)
 	out["recipient"] = key.Recipient
 	out["enc"] = key.EncryptedKey
 	return out

diff --git a/age/keysource_test.go b/age/keysource_test.go
@@ -356,7 +356,7 @@ func TestMasterKey_ToMap(t *testing.T) {
 		Recipient:    mockRecipient,
 		EncryptedKey: "some-encrypted-key",
 	}
-	assert.Equal(t, map[string]interface{}{
+	assert.Equal(t, map[string]any{
 		"recipient": mockRecipient,
 		"enc":       key.EncryptedKey,
 	}, key.ToMap())

diff --git a/age/tui.go b/age/tui.go
@@ -7,11 +7,11 @@ import (
 
 var testOnlyAgePassword string
 
-func printf(format string, v ...interface{}) {
+func printf(format string, v ...any) {
 	log.Printf("age: "+format, v...)
 }
 
-func warningf(format string, v ...interface{}) {
+func warningf(format string, v ...any) {
 	log.Printf("age: warning: "+format, v...)
 }
 
@@ -27,7 +27,7 @@ var pluginTerminalUI = &plugin.ClientUI{
 		if testing.Testing() && testOnlyAgePassword != "" {
 			return testOnlyAgePassword, nil
 		}
-		return pluginTerminalUIImpl.RequestValue(name, message, isSecret);
+		return pluginTerminalUIImpl.RequestValue(name, message, isSecret)
 	},
 	Confirm: func(name, message, yes, no string) (choseYes bool, err error) {
 		return pluginTerminalUIImpl.Confirm(name, message, yes, no)

diff --git a/audit/audit.go b/audit/audit.go
@@ -70,7 +70,7 @@ type config struct {
 var auditors []Auditor
 
 // SubmitEvent handles an event for all auditors
-func SubmitEvent(event interface{}) {
+func SubmitEvent(event any) {
 	for _, auditor := range auditors {
 		auditor.Handle(event)
 	}
@@ -87,7 +87,7 @@ type Auditor interface {
 	// Handle() takes an audit event and attempts to persists it;
 	// how it is persisted and how errors are handled is up to the
 	// implementation of this interface.
-	Handle(event interface{})
+	Handle(event any)
 }
 
 // DecryptEvent contains fields relevant to a decryption event
@@ -133,7 +133,7 @@ func NewPostgresAuditor(connStr string) (*PostgresAuditor, error) {
 
 // Handle persists the audit event by writing a row to the
 // 'audit_event' postgres table
-func (p *PostgresAuditor) Handle(event interface{}) {
+func (p *PostgresAuditor) Handle(event any) {
 	u, err := user.Current()
 	if err != nil {
 		log.Fatalf("Error getting current user for auditing: %s", err)

diff --git a/azkv/keysource.go b/azkv/keysource.go
@@ -119,7 +119,7 @@ func MasterKeysFromURLs(urls string) ([]*MasterKey, error) {
 	if urls == "" {
 		return keys, nil
 	}
-	for _, s := range strings.Split(urls, ",") {
+	for s := range strings.SplitSeq(urls, ",") {
 		k, err := NewMasterKeyFromURL(s)
 		if err != nil {
 			return nil, err
@@ -171,7 +171,7 @@ func (key *MasterKey) Encrypt(dataKey []byte) error {
 }
 
 func (key *MasterKey) ensureKeyHasVersion(ctx context.Context) error {
-	if (key.Version != "") {
+	if key.Version != "" {
 		// Nothing to do
 		return nil
 	}
@@ -301,8 +301,8 @@ func (key *MasterKey) ToString() string {
 }
 
 // ToMap converts the MasterKey to a map for serialization purposes.
-func (key MasterKey) ToMap() map[string]interface{} {
-	out := make(map[string]interface{})
+func (key MasterKey) ToMap() map[string]any {
+	out := make(map[string]any)
 	out["vaultUrl"] = key.VaultURL
 	out["key"] = key.Name
 	out["version"] = key.Version

diff --git a/azkv/keysource_test.go b/azkv/keysource_test.go
@@ -201,7 +201,7 @@ func TestMasterKey_ToMap(t *testing.T) {
 		Version:      "1",
 		EncryptedKey: "this is encrypted",
 	}
-	assert.Equal(t, map[string]interface{}{
+	assert.Equal(t, map[string]any{
 		"vaultUrl":   key.VaultURL,
 		"key":        key.Name,
 		"version":    key.Version,

diff --git a/cmd/sops/common/common.go b/cmd/sops/common/common.go
@@ -162,7 +162,7 @@ func LoadEncryptedFile(loader sops.EncryptedFileLoader, inputPath string) (*sops
 
 // NewExitError returns a cli.ExitError given an error (wrapped in a generic interface{})
 // and an exit code to represent the failure
-func NewExitError(i interface{}, exitCode int) *cli.ExitError {
+func NewExitError(i any, exitCode int) *cli.ExitError {
 	if userErr, ok := i.(sops.UserError); ok {
 		return NewExitError(userErr.UserError(), exitCode)
 	}
@@ -365,7 +365,7 @@ func RecoverDataKeyFromBuggyKMS(opts GenericDecryptOpts, tree *sops.Tree) []byte
 
 	keyToEdit := *originalKey
 
-	encCtxVals := map[string]interface{}{}
+	encCtxVals := map[string]any{}
 	for _, v := range keyToEdit.EncryptionContext {
 		encCtxVals[*v] = ""
 	}
@@ -406,13 +406,6 @@ type Diff struct {
 	Removed []keys.MasterKey
 }
 
-func max(a, b int) int {
-	if a > b {
-		return a
-	}
-	return b
-}
-
 // DiffKeyGroups returns the list of diffs found in two sops.keyGroup slices
 func DiffKeyGroups(ours, theirs []sops.KeyGroup) []Diff {
 	var diffs []Diff

diff --git a/cmd/sops/decrypt.go b/cmd/sops/decrypt.go
@@ -21,7 +21,7 @@ type decryptOpts struct {
 	InputPath       string
 	ReadFromStdin   bool
 	IgnoreMAC       bool
-	Extract         []interface{}
+	Extract         []any
 	KeyServices     []keyservice.KeyServiceClient
 	DecryptionOrder []string
 }
@@ -72,7 +72,7 @@ func decrypt(opts decryptOpts) (decryptedFile []byte, err error) {
 	return decryptedFile, err
 }
 
-func extract(tree *sops.Tree, path []interface{}, outputStore sops.Store) (output []byte, err error) {
+func extract(tree *sops.Tree, path []any, outputStore sops.Store) (output []byte, err error) {
 	v, err := tree.Branches[0].Truncate(path)
 	if err != nil {
 		return nil, fmt.Errorf("error truncating tree: %s", err)

diff --git a/cmd/sops/main.go b/cmd/sops/main.go
@@ -869,7 +869,7 @@ func main() {
 					return toExitError(err)
 				}
 
-				var extract []interface{}
+				var extract []any
 				extract, err = parseTreePath(c.String("extract"))
 				if err != nil {
 					return common.NewExitError(fmt.Errorf("error parsing --extract path: %s", err), codes.InvalidTreePathFormat)
@@ -1988,7 +1988,7 @@ func main() {
 		}
 
 		if isDecryptMode {
-			var extract []interface{}
+			var extract []any
 			extract, err = parseTreePath(c.String("extract"))
 			if err != nil {
 				return common.NewExitError(fmt.Errorf("error parsing --extract path: %s", err), codes.InvalidTreePathFormat)
@@ -2019,8 +2019,8 @@ func main() {
 		}
 
 		if isSetMode {
-			var path []interface{}
-			var value interface{}
+			var path []any
+			var value any
 			path, value, err = extractSetArguments(c.String("set"))
 			if err != nil {
 				return toExitError(err)
@@ -2398,10 +2398,10 @@ func outputStore(context *cli.Context, path string) (common.Store, error) {
 	return common.DefaultStoreForPathOrFormat(storesConf, path, context.String("output-type")), nil
 }
 
-func parseTreePath(arg string) ([]interface{}, error) {
-	var path []interface{}
-	components := strings.Split(arg, "[")
-	for _, component := range components {
+func parseTreePath(arg string) ([]any, error) {
+	var path []any
+	components := strings.SplitSeq(arg, "[")
+	for component := range components {
 		if component == "" {
 			continue
 		}
@@ -2554,8 +2554,8 @@ func shamirThreshold(c *cli.Context, file string, optionalConfig *config.Config)
 	return conf.ShamirThreshold, nil
 }
 
-func jsonValueToTreeInsertableValue(jsonValue string) (interface{}, error) {
-	var valueToInsert interface{}
+func jsonValueToTreeInsertableValue(jsonValue string) (any, error) {
+	var valueToInsert any
 	err := encodingjson.Unmarshal([]byte(jsonValue), &valueToInsert)
 	if err != nil {
 		return nil, common.NewExitError("Value for --set is not valid JSON", codes.ErrorInvalidSetFormat)
@@ -2581,7 +2581,7 @@ func jsonValueToTreeInsertableValue(jsonValue string) (interface{}, error) {
 	return values[0], nil
 }
 
-func extractSetArguments(set string) (path []interface{}, valueToInsert interface{}, err error) {
+func extractSetArguments(set string) (path []any, valueToInsert any, err error) {
 	// Set is a string with the format "python-dict-index json-value"
 	// Since python-dict-index has to end with ], we split at "] " to get the two parts
 	pathValuePair := strings.SplitAfterN(set, "] ", 2)

diff --git a/cmd/sops/set.go b/cmd/sops/set.go
@@ -15,8 +15,8 @@ type setOpts struct {
 	OutputStore     sops.Store
 	InputPath       string
 	IgnoreMAC       bool
-	TreePath        []interface{}
-	Value           interface{}
+	TreePath        []any
+	Value           any
 	KeyServices     []keyservice.KeyServiceClient
 	DecryptionOrder []string
 }

diff --git a/cmd/sops/subcommand/exec/exec.go b/cmd/sops/subcommand/exec/exec.go
@@ -139,8 +139,8 @@ func ExecWithEnv(opts ExecOpts) error {
 		env = os.Environ()
 	}
 
-	lines := bytes.Split(opts.Plaintext, []byte("\n"))
-	for _, line := range lines {
+	lines := bytes.SplitSeq(opts.Plaintext, []byte("\n"))
+	for line := range lines {
 		if len(line) == 0 {
 			continue
 		}

diff --git a/cmd/sops/subcommand/exec/exec_unix.go b/cmd/sops/subcommand/exec/exec_unix.go
@@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows
 
 package exec
 

diff --git a/cmd/sops/subcommand/publish/publish.go b/cmd/sops/subcommand/publish/publish.go
@@ -74,7 +74,7 @@ func Run(opts Opts) error {
 		return err
 	}
 
-	data := map[string]interface{}{}
+	data := map[string]any{}
 
 	switch conf.Destination.(type) {
 	case *publish.S3Destination, *publish.GCSDestination:

diff --git a/cmd/sops/subcommand/updatekeys/updatekeys.go b/cmd/sops/subcommand/updatekeys/updatekeys.go
@@ -124,10 +124,3 @@ func updateFile(opts Opts) error {
 	log.Printf("File %s synced with new keys", opts.InputPath)
 	return nil
 }
-
-func min(a, b int) int {
-	if a < b {
-		return a
-	}
-	return b
-}
diff --git a/cmd/sops/unset.go b/cmd/sops/unset.go
@@ -15,7 +15,7 @@ type unsetOpts struct {
 	OutputStore     sops.Store
 	InputPath       string
 	IgnoreMAC       bool
-	TreePath        []interface{}
+	TreePath        []any
 	KeyServices     []keyservice.KeyServiceClient
 	DecryptionOrder []string
 }

diff --git a/config/config.go b/config/config.go
@@ -56,7 +56,7 @@ func LookupConfigFile(start string) (ConfigFileResult, error) {
 	filepath := path.Dir(start)
 	var foundAlternatePath string
 
-	for i := 0; i < maxDepth; i++ {
+	for range maxDepth {
 		configPath := path.Join(filepath, configFileName)
 		_, err := fs.Stat(configPath)
 		if err == nil {
@@ -176,24 +176,24 @@ type destinationRule struct {
 }
 
 type creationRule struct {
-	PathRegex               string      `yaml:"path_regex"`
-	KMS                     interface{} `yaml:"kms"` // string or []string
-	AwsProfile              string      `yaml:"aws_profile"`
-	Age                     interface{} `yaml:"age"`     // string or []string
-	PGP                     interface{} `yaml:"pgp"`     // string or []string
-	GCPKMS                  interface{} `yaml:"gcp_kms"` // string or []string
-	HCKms                   []string    `yaml:"hckms"`
-	AzureKeyVault           interface{} `yaml:"azure_keyvault"`       // string or []string
-	VaultURI                interface{} `yaml:"hc_vault_transit_uri"` // string or []string
-	KeyGroups               []keyGroup  `yaml:"key_groups"`
-	ShamirThreshold         int         `yaml:"shamir_threshold"`
-	UnencryptedSuffix       string      `yaml:"unencrypted_suffix"`
-	EncryptedSuffix         string      `yaml:"encrypted_suffix"`
-	UnencryptedRegex        string      `yaml:"unencrypted_regex"`
-	EncryptedRegex          string      `yaml:"encrypted_regex"`
-	UnencryptedCommentRegex string      `yaml:"unencrypted_comment_regex"`
-	EncryptedCommentRegex   string      `yaml:"encrypted_comment_regex"`
-	MACOnlyEncrypted        bool        `yaml:"mac_only_encrypted"`
+	PathRegex               string     `yaml:"path_regex"`
+	KMS                     any        `yaml:"kms"` // string or []string
+	AwsProfile              string     `yaml:"aws_profile"`
+	Age                     any        `yaml:"age"`     // string or []string
+	PGP                     any        `yaml:"pgp"`     // string or []string
+	GCPKMS                  any        `yaml:"gcp_kms"` // string or []string
+	HCKms                   []string   `yaml:"hckms"`
+	AzureKeyVault           any        `yaml:"azure_keyvault"`       // string or []string
+	VaultURI                any        `yaml:"hc_vault_transit_uri"` // string or []string
+	KeyGroups               []keyGroup `yaml:"key_groups"`
+	ShamirThreshold         int        `yaml:"shamir_threshold"`
+	UnencryptedSuffix       string     `yaml:"unencrypted_suffix"`
+	EncryptedSuffix         string     `yaml:"encrypted_suffix"`
+	UnencryptedRegex        string     `yaml:"unencrypted_regex"`
+	EncryptedRegex          string     `yaml:"encrypted_regex"`
+	UnencryptedCommentRegex string     `yaml:"unencrypted_comment_regex"`
+	EncryptedCommentRegex   string     `yaml:"encrypted_comment_regex"`
+	MACOnlyEncrypted        bool       `yaml:"mac_only_encrypted"`
 }
 
 // Helper methods to safely extract keys as []string
@@ -222,7 +222,7 @@ func (c *creationRule) GetVaultURIs() ([]string, error) {
 }
 
 // Utility function to handle both string and []string
-func parseKeyField(field interface{}, fieldName string) ([]string, error) {
+func parseKeyField(field any, fieldName string) ([]string, error) {
 	if field == nil {
 		return []string{}, nil
 	}
@@ -242,7 +242,7 @@ func parseKeyField(field interface{}, fieldName string) ([]string, error) {
 			}
 		}
 		return result, nil
-	case []interface{}:
+	case []any:
 		result := make([]string, len(v))
 		for i, item := range v {
 			if str, ok := item.(string); ok {