Improving docs and logging

Author: binbashing

README.md

@@ -1,20 +1,21 @@
-# sops-cop
+# SOPS-Cop
 
 [![Go Version](https://img.shields.io/badge/Go-1.23%2B-00ADD8?logo=go)](https://go.dev/)
 [![CI](https://github.com/binbashing/sops-cop/actions/workflows/ci.yml/badge.svg)](https://github.com/binbashing/sops-cop/actions/workflows/ci.yml)
 [![Tests](https://img.shields.io/badge/tests-go%20test%20.%2F...-brightgreen)](https://github.com/binbashing/sops-cop/actions/workflows/ci.yml)
 
-A small, fast Go CLI that enforces SOPS encryption rules without requiring the SOPS binary or encryption keys; designed for commit hooks and CI jobs.
+SOPS-Cop is a CLI tool to enforce SOPS encryption rules without requiring the SOPS binary or encryption keys; designed for commit hooks and CI jobs.
+
 
 ## How it works
 
-- Locates `.sops.yaml` by walking up from the provided path (or current directory).
-- Scans files matched by `creation_rules` and checks that selected values are encrypted.
+- Discovers your existing SOPS configuration and verifies encryption rules are followed.
 - Reports each unencrypted key path to `stderr` with file path and line:column location.
 
 ## Exit codes
 
 - `0`: all checked values are encrypted
+- `2`: invalid arguments (for example, unresolvable target path)
 - `3`: file read error (for example, file missing or permission denied)
 - `4`: invalid YAML input
 - `5`: one or more unencrypted values were found
@@ -56,6 +57,12 @@ Or start from any path inside the project:
 ./sops-cop -target path/to/any/subdir
 ```
 
+Print version:
+
+```bash
+./sops-cop -version
+```
+
 Help:
 
 ```bash

main.go

@@ -89,7 +89,7 @@ func run(target string, stderr io.Writer) int {
 
 	config, configDir, err := loadSopsConfig(startDir)
 	if err != nil {
-		fmt.Fprintf(stderr, "error: %v\n", err)
+		fmt.Fprintf(stderr, "error: failed to load .sops.yaml config: %v\n", err)
 		return exitConfigError
 	}
 
@@ -117,7 +117,7 @@ func validateProject(config *SopsConfig, configDir string, stderr io.Writer) int
 
 		rule, matched, err := loadCreationRuleForFile(config, path)
 		if err != nil {
-			fmt.Fprintf(stderr, "error: %v\n", err)
+			fmt.Fprintf(stderr, "error: failed to match creation rule for %s: %v\n", path, err)
 			exitCode = exitConfigError
 			return nil
 		}

main_test.go

@@ -352,6 +352,82 @@ func TestRunExitCodes(t *testing.T) {
 			wantExitCode:  exitUnencryptedValue,
 			wantErrSubstr: "secrets/bad.yaml",
 		},
+		{
+			name: "multiple creation rules apply different encryption to different paths",
+			setup: func(t *testing.T) string {
+				tempDir := t.TempDir()
+				// Rule 1: secrets/ files must encrypt everything
+				// Rule 2: configs/ files only encrypt keys matching "password"
+				sopsConfig := `creation_rules:
+  - path_regex: "^secrets/.*\\.yaml$"
+    encrypted_regex: ""
+  - path_regex: "^configs/.*\\.yaml$"
+    encrypted_regex: "^password$"
+`
+				if err := os.WriteFile(filepath.Join(tempDir, ".sops.yaml"), []byte(sopsConfig), 0o600); err != nil {
+					t.Fatalf("write .sops.yaml: %v", err)
+				}
+
+				if err := os.MkdirAll(filepath.Join(tempDir, "secrets"), 0o755); err != nil {
+					t.Fatalf("mkdir secrets: %v", err)
+				}
+				if err := os.MkdirAll(filepath.Join(tempDir, "configs"), 0o755); err != nil {
+					t.Fatalf("mkdir configs: %v", err)
+				}
+
+				// secrets/creds.yaml: fully encrypted — should pass
+				if err := os.WriteFile(filepath.Join(tempDir, "secrets", "creds.yaml"),
+					[]byte("token: ENC[AES256_GCM,data:abc]\n"), 0o600); err != nil {
+					t.Fatalf("write secrets creds.yaml: %v", err)
+				}
+
+				// configs/db.yaml: host is plaintext (allowed), password is plaintext (violation)
+				if err := os.WriteFile(filepath.Join(tempDir, "configs", "db.yaml"),
+					[]byte("host: localhost\npassword: plaintext\n"), 0o600); err != nil {
+					t.Fatalf("write configs db.yaml: %v", err)
+				}
+
+				return tempDir
+			},
+			wantExitCode:  exitUnencryptedValue,
+			wantErrSubstr: "configs/db.yaml",
+		},
+		{
+			name: "multiple creation rules all passing",
+			setup: func(t *testing.T) string {
+				tempDir := t.TempDir()
+				sopsConfig := `creation_rules:
+  - path_regex: "^secrets/.*\\.yaml$"
+    encrypted_regex: ""
+  - path_regex: "^configs/.*\\.yaml$"
+    encrypted_regex: "^password$"
+`
+				if err := os.WriteFile(filepath.Join(tempDir, ".sops.yaml"), []byte(sopsConfig), 0o600); err != nil {
+					t.Fatalf("write .sops.yaml: %v", err)
+				}
+
+				if err := os.MkdirAll(filepath.Join(tempDir, "secrets"), 0o755); err != nil {
+					t.Fatalf("mkdir secrets: %v", err)
+				}
+				if err := os.MkdirAll(filepath.Join(tempDir, "configs"), 0o755); err != nil {
+					t.Fatalf("mkdir configs: %v", err)
+				}
+
+				if err := os.WriteFile(filepath.Join(tempDir, "secrets", "creds.yaml"),
+					[]byte("token: ENC[AES256_GCM,data:abc]\n"), 0o600); err != nil {
+					t.Fatalf("write secrets creds.yaml: %v", err)
+				}
+
+				if err := os.WriteFile(filepath.Join(tempDir, "configs", "db.yaml"),
+					[]byte("host: localhost\npassword: ENC[AES256_GCM,data:xyz]\n"), 0o600); err != nil {
+					t.Fatalf("write configs db.yaml: %v", err)
+				}
+
+				return tempDir
+			},
+			wantExitCode:  exitSuccess,
+			wantErrSubstr: "All files compliant",
+		},
 		{
 			name: "invalid rule when both encrypted_regex and unencrypted_regex are set",
 			setup: func(t *testing.T) string {