git-crypt status: Check Which Files Are Encrypted
git-crypt status lists every file and whether git-crypt considers it encrypted, not encrypted, or misconfigured against .gitattributes.
Before trusting that a repo protects its secrets, git-crypt status shows the actual encryption state. In CI it is a cheap guard against a secret file that was never encrypted.
What it does
git-crypt status walks the repository and prints each file with its status: "encrypted", "not encrypted", or a warning when a file matches an encrypt filter but is stored as plaintext. It reads .gitattributes to know what should be encrypted.
Common usage
git-crypt status
# list only files that are encrypted
git-crypt status -e
# list files that should be encrypted but are not
git-crypt status -uOptions
| Flag | What it does |
|---|---|
| -e | Show only files that are encrypted |
| -u | Show only files that are not encrypted |
| -f | Fix filters / re-stage (use with care) |
In CI
Run git-crypt status -u (or grep the status output for "not encrypted" on paths that should be secret) as a pre-merge check so a secret that slipped past the filter fails the build instead of leaking. It needs no key, so it can run before unlock.
Common errors in CI
A file listed as "not encrypted" that should be secret means the .gitattributes filter did not match when it was committed; the plaintext is now in history and the secret must be rotated. "git-crypt: error: Not in a git repository" means the check ran outside the repo root.