diff --git a/bin/test_secrets.sh b/bin/test_secrets.sh
index d645187..0500775 100755
--- a/bin/test_secrets.sh
+++ b/bin/test_secrets.sh
@@ -4,21 +4,26 @@
 # appropriate header, and that none other pillar files contain this header or
 # any secrets
 
-HEADER="#!yaml|gpg"
+set -Ceu
+
+HEADER_REGEX='^(#!yaml\|gpg|#!gpg\|yaml)$'
+HEADER_EMPTY='^(# empty)$'
+STATUS=0
 
 SECRETS_SLS=$(find pillar/secrets -name '*.sls' 2> /dev/null)
 if [[ -n $SECRETS_SLS ]];  then
     for secret_sls in ${SECRETS_SLS[@]}; do
-        if [[ $(head -n 1 $secret_sls) != "$HEADER" ]]; then
-            echo "$secret_sls is missing the \"$HEADER\" header or it is not on the first line"
+        HEADER_LINE="$(head -n 1 $secret_sls)"
+	if [[ ! "$HEADER_LINE" =~ $HEADER_REGEX && ! ( "$HEADER_LINE" =~ $HEADER_EMPTY && "$(wc -l < $secret_sls)" == 1 ) ]]; then
+            echo "The first line in $secret_sls is not matching \"$HEADER_REGEX\""
             STATUS=1
         fi
     done
 fi
 
 for sls in $(find pillar/ -not -path 'pillar/secrets/*' -name '*.sls'); do
-    if $(grep -q "$HEADER" $sls); then
-        echo "$sls has the \"$HEADER\" header, please remove it"
+    if $(grep -Eq "$HEADER_REGEX" $sls); then
+        echo "$sls matches \"$HEADER_REGEX\", please remove such lines from non-secret pillar files"
         STATUS=1
     fi
     if $(grep -q "BEGIN GPG MESSAGE" $sls); then