adding support for all sops supported file types

Author: binbashing

.gitignore

@@ -13,8 +13,10 @@
 
 # Build artifacts
 sops-cop
+sops-cop_*
 /bin/
 /dist/
+/dist-local/
 
 # Dependency directories (if used)
 vendor/

.sops.yaml

@@ -1,3 +1,9 @@
 creation_rules:
   - path_regex: '(^|.*/).*secret.*\.ya?ml$'
     encrypted_regex: '^(data|stringData)$'
+  - path_regex: '(^|.*/).*secret.*\.json$'
+    encrypted_regex: ''
+  - path_regex: '(^|.*/).*secret.*\.env$'
+    encrypted_regex: ''
+  - path_regex: '(^|.*/).*secret.*\.ini$'
+    encrypted_regex: ''

README.md

@@ -10,14 +10,15 @@ SOPS-Cop is a CLI tool to enforce SOPS encryption rules without requiring the SO
 ## How it works
 
 - Discovers your existing SOPS configuration and verifies encryption rules are followed.
-- Reports each unencrypted key path to `stderr` with file path and line:column location.
+- Supports YAML, JSON, ENV, and INI files when matched by `.sops.yaml` creation rules.
+- Reports each unencrypted key path to `stderr` with file path and location details (line:column for YAML; path-only fallback for other formats).
 
 ## Exit codes
 
 - `0`: all checked values are encrypted
 - `2`: invalid arguments (for example, unresolvable target path)
 - `3`: file read error (for example, file missing or permission denied)
-- `4`: invalid YAML input
+- `4`: invalid input for the matched file format (YAML/JSON/ENV/INI)
 - `5`: one or more unencrypted values were found
 - `6`: `.sops.yaml` config error (for example, invalid regex)
 
@@ -37,7 +38,7 @@ go install github.com/binbashing/sops-cop@latest
 
 ### Option 2: prebuilt release binary (no Go required)
 
-Download the correct archive from the GitHub Releases page for your OS/arch, extract it, and place `sops-cop` on your `PATH`.
+Download the correct binary from the GitHub Releases page for your OS/arch and place `sops-cop` on your `PATH`.
 
 ## Build
 

go.mod

@@ -115,4 +115,5 @@ require (
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250324211829-b45e905df463 // indirect
 	google.golang.org/grpc v1.71.1 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
 )

go.sum

@@ -311,6 +311,8 @@ google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
+gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

main.go

@@ -13,6 +13,9 @@ import (
 	sopsformats "github.com/getsops/sops/v3/cmd/sops/formats"
 	sopsconfig "github.com/getsops/sops/v3/config"
 	sopsstores "github.com/getsops/sops/v3/stores"
+	sopsdotenv "github.com/getsops/sops/v3/stores/dotenv"
+	sopsini "github.com/getsops/sops/v3/stores/ini"
+	sopsjson "github.com/getsops/sops/v3/stores/json"
 	sopsyaml "github.com/getsops/sops/v3/stores/yaml"
 	"gopkg.in/yaml.v3"
 )
@@ -51,7 +54,7 @@ func main() {
 func usage() {
 	out := flag.CommandLine.Output()
 	fmt.Fprintf(out, "sops-cop %s\n\n", version)
-	fmt.Fprintln(out, "Validates that YAML values are encrypted according to .sops.yaml rules.")
+	fmt.Fprintln(out, "Validates YAML/JSON/ENV/INI values are encrypted according to .sops.yaml rules.")
 	fmt.Fprintln(out, "Usage:")
 	fmt.Fprintln(out, "  sops-cop [-target <path-inside-project>]")
 	fmt.Fprintln(out)
@@ -125,8 +128,8 @@ func validateProject(config *SopsConfig, configDir string, stderr io.Writer) int
 			return nil
 		}
 
-		if !sopsformats.IsYAMLFile(path) {
-			fmt.Fprintf(stderr, "warning: skipping non-YAML file matched by path_regex: %s\n", path)
+		if !isSupportedStructuredFile(path) {
+			fmt.Fprintf(stderr, "warning: skipping unsupported file matched by path_regex: %s\n", path)
 			return nil
 		}
 
@@ -163,9 +166,9 @@ func validateFileWithRule(filePath string, rule *sopsconfig.Config, stderr io.Wr
 		return exitFileReadError, 0
 	}
 
-	failures, err := validateYAMLContent(data, rule)
+	failures, formatName, err := validateContentForFile(filePath, data, rule)
 	if err != nil {
-		fmt.Fprintf(stderr, "error: invalid YAML: %v\n", err)
+		fmt.Fprintf(stderr, "error: invalid %s: %v\n", formatName, err)
 		return exitInvalidYAML, 0
 	}
 
@@ -179,6 +182,90 @@ func validateFileWithRule(filePath string, rule *sopsconfig.Config, stderr io.Wr
 	return exitSuccess, 0
 }
 
+// plainFileLoader is implemented by SOPS format stores that load plaintext into tree branches.
+type plainFileLoader interface {
+	LoadPlainFile([]byte) (sops.TreeBranches, error)
+}
+
+func isSupportedStructuredFile(path string) bool {
+	return sopsformats.IsYAMLFile(path) ||
+		sopsformats.IsJSONFile(path) ||
+		sopsformats.IsEnvFile(path) ||
+		sopsformats.IsIniFile(path)
+}
+
+func formatNameForPath(path string) string {
+	switch {
+	case sopsformats.IsYAMLFile(path):
+		return "YAML"
+	case sopsformats.IsJSONFile(path):
+		return "JSON"
+	case sopsformats.IsEnvFile(path):
+		return "ENV"
+	case sopsformats.IsIniFile(path):
+		return "INI"
+	default:
+		return "file"
+	}
+}
+
+func validateContentForFile(filePath string, data []byte, rule *sopsconfig.Config) ([]string, string, error) {
+	if sopsformats.IsYAMLFile(filePath) {
+		failures, err := validateYAMLContent(data, rule)
+		return failures, "YAML", err
+	}
+
+	if strings.TrimSpace(string(data)) == "" {
+		return []string{}, formatNameForPath(filePath), nil
+	}
+
+	switch {
+	case sopsformats.IsJSONFile(filePath):
+		failures, err := validateStructuredContent(data, rule, sopsjson.NewStore(&sopsconfig.JSONStoreConfig{}))
+		return failures, "JSON", err
+	case sopsformats.IsEnvFile(filePath):
+		failures, err := validateStructuredContent(data, rule, sopsdotenv.NewStore(&sopsconfig.DotenvStoreConfig{}))
+		return failures, "ENV", err
+	case sopsformats.IsIniFile(filePath):
+		failures, err := validateStructuredContent(data, rule, sopsini.NewStore(&sopsconfig.INIStoreConfig{}))
+		return failures, "INI", err
+	default:
+		return []string{}, formatNameForPath(filePath), nil
+	}
+}
+
+func validateStructuredContent(data []byte, rule *sopsconfig.Config, store plainFileLoader) ([]string, error) {
+	branchesForValidation, err := store.LoadPlainFile(data)
+	if err != nil {
+		return []string{}, err
+	}
+
+	if len(branchesForValidation) == 0 {
+		return []string{}, nil
+	}
+
+	branchesForSelection, err := store.LoadPlainFile(data)
+	if err != nil {
+		return []string{}, err
+	}
+
+	encryptedPaths, err := computeSOPSSelectedPathsFromBranches(branchesForSelection, rule)
+	if err != nil {
+		return []string{}, err
+	}
+
+	var failures []string
+	for _, branch := range branchesForValidation {
+		walkTreeValue(branch, nil, &failures, encryptedPaths)
+	}
+
+	if failures == nil {
+		failures = []string{}
+	}
+
+	return failures, nil
+}
+
 // validateYAMLContent parses YAML bytes and returns locations of unencrypted values that should be encrypted.
 func validateYAMLContent(data []byte, rule *sopsconfig.Config) ([]string, error) {
 	// Parse YAML first to detect empty or comment-only files before
@@ -288,6 +375,11 @@ func computeSOPSSelectedPaths(data []byte, rule *sopsconfig.Config) (map[string]
 		return nil, err
 	}
 
+	return computeSOPSSelectedPathsFromBranches(branches, rule)
+}
+
+func computeSOPSSelectedPathsFromBranches(branches sops.TreeBranches, rule *sopsconfig.Config) (map[string]struct{}, error) {
+
 	// Apply the SOPS default: when no selector is specified, keys ending in
 	// "_unencrypted" are left as plaintext.
 	unencryptedSuffix := rule.UnencryptedSuffix
@@ -322,6 +414,38 @@ func computeSOPSSelectedPaths(data []byte, rule *sopsconfig.Config) (map[string]
 	return selected, nil
 }
 
+func walkTreeValue(value interface{}, path []string, failures *[]string, encryptedPaths map[string]struct{}) {
+	switch typed := value.(type) {
+	case sops.TreeBranch:
+		for _, item := range typed {
+			key := fmt.Sprint(item.Key)
+			if key == sopsstores.SopsMetadataKey {
+				continue
+			}
+			nextPath := appendPath(path, key)
+			walkTreeValue(item.Value, nextPath, failures, encryptedPaths)
+		}
+
+	case []interface{}:
+		for i, item := range typed {
+			nextPath := appendPath(path, strconv.Itoa(i))
+			walkTreeValue(item, nextPath, failures, encryptedPaths)
+		}
+
+	case string:
+		if _, shouldEncrypt := encryptedPaths[joinPath(path)]; shouldEncrypt && !strings.HasPrefix(typed, encryptedPrefix) {
+			msg := fmt.Sprintf("unencrypted value found at '%s'", joinPath(path))
+			*failures = append(*failures, msg)
+		}
+
+	default:
+		if _, shouldEncrypt := encryptedPaths[joinPath(path)]; shouldEncrypt {
+			msg := fmt.Sprintf("unencrypted value found at '%s'", joinPath(path))
+			*failures = append(*failures, msg)
+		}
+	}
+}
+
 func collectSelectedPaths(value interface{}, path []string, selected map[string]struct{}) {
 	switch typed := value.(type) {
 	case sops.TreeBranch:

main_test.go

@@ -567,3 +567,144 @@ func TestExampleSecretFixtureWithSopsConfig(t *testing.T) {
 		}
 	})
 }
+
+func TestRunSupportsStructuredFormats(t *testing.T) {
+	t.Run("json plaintext value fails", func(t *testing.T) {
+		tempDir := t.TempDir()
+		sopsConfig := `creation_rules:
+  - path_regex: ".*\\.json$"
+    encrypted_regex: ""
+`
+		if err := os.WriteFile(filepath.Join(tempDir, ".sops.yaml"), []byte(sopsConfig), 0o600); err != nil {
+			t.Fatalf("write .sops.yaml: %v", err)
+		}
+		if err := os.WriteFile(filepath.Join(tempDir, "secrets.json"), []byte(`{"password":"plaintext"}`), 0o600); err != nil {
+			t.Fatalf("write secrets.json: %v", err)
+		}
+
+		var stderr bytes.Buffer
+		gotExitCode := run(tempDir, &stderr)
+		if gotExitCode != exitUnencryptedValue {
+			t.Fatalf("run() exit code = %d, want %d; stderr=%q", gotExitCode, exitUnencryptedValue, stderr.String())
+		}
+		if !strings.Contains(stderr.String(), "secrets.json") || !strings.Contains(stderr.String(), "unencrypted value found") {
+			t.Fatalf("run() stderr = %q, want json violation output", stderr.String())
+		}
+	})
+
+	t.Run("json encrypted value passes", func(t *testing.T) {
+		tempDir := t.TempDir()
+		sopsConfig := `creation_rules:
+  - path_regex: ".*\\.json$"
+    encrypted_regex: ""
+`
+		if err := os.WriteFile(filepath.Join(tempDir, ".sops.yaml"), []byte(sopsConfig), 0o600); err != nil {
+			t.Fatalf("write .sops.yaml: %v", err)
+		}
+		if err := os.WriteFile(filepath.Join(tempDir, "secrets.json"), []byte(`{"password":"ENC[AES256_GCM,data:abc]"}`), 0o600); err != nil {
+			t.Fatalf("write secrets.json: %v", err)
+		}
+
+		var stderr bytes.Buffer
+		gotExitCode := run(tempDir, &stderr)
+		if gotExitCode != exitSuccess {
+			t.Fatalf("run() exit code = %d, want %d; stderr=%q", gotExitCode, exitSuccess, stderr.String())
+		}
+		if !strings.Contains(stderr.String(), "All files compliant") {
+			t.Fatalf("run() stderr = %q, want success summary", stderr.String())
+		}
+	})
+
+	t.Run("dotenv plaintext value fails", func(t *testing.T) {
+		tempDir := t.TempDir()
+		sopsConfig := `creation_rules:
+  - path_regex: ".*\\.env$"
+    encrypted_regex: ""
+`
+		if err := os.WriteFile(filepath.Join(tempDir, ".sops.yaml"), []byte(sopsConfig), 0o600); err != nil {
+			t.Fatalf("write .sops.yaml: %v", err)
+		}
+		if err := os.WriteFile(filepath.Join(tempDir, "app.env"), []byte("PASSWORD=plaintext\n"), 0o600); err != nil {
+			t.Fatalf("write app.env: %v", err)
+		}
+
+		var stderr bytes.Buffer
+		gotExitCode := run(tempDir, &stderr)
+		if gotExitCode != exitUnencryptedValue {
+			t.Fatalf("run() exit code = %d, want %d; stderr=%q", gotExitCode, exitUnencryptedValue, stderr.String())
+		}
+		if !strings.Contains(stderr.String(), "app.env") || !strings.Contains(stderr.String(), "unencrypted value found") {
+			t.Fatalf("run() stderr = %q, want env violation output", stderr.String())
+		}
+	})
+
+	t.Run("dotenv encrypted value passes", func(t *testing.T) {
+		tempDir := t.TempDir()
+		sopsConfig := `creation_rules:
+  - path_regex: ".*\\.env$"
+    encrypted_regex: ""
+`
+		if err := os.WriteFile(filepath.Join(tempDir, ".sops.yaml"), []byte(sopsConfig), 0o600); err != nil {
+			t.Fatalf("write .sops.yaml: %v", err)
+		}
+		if err := os.WriteFile(filepath.Join(tempDir, "app.env"), []byte("PASSWORD=ENC[AES256_GCM,data:abc]\n"), 0o600); err != nil {
+			t.Fatalf("write app.env: %v", err)
+		}
+
+		var stderr bytes.Buffer
+		gotExitCode := run(tempDir, &stderr)
+		if gotExitCode != exitSuccess {
+			t.Fatalf("run() exit code = %d, want %d; stderr=%q", gotExitCode, exitSuccess, stderr.String())
+		}
+		if !strings.Contains(stderr.String(), "All files compliant") {
+			t.Fatalf("run() stderr = %q, want success summary", stderr.String())
+		}
+	})
+
+	t.Run("ini plaintext value fails", func(t *testing.T) {
+		tempDir := t.TempDir()
+		sopsConfig := `creation_rules:
+  - path_regex: ".*\\.ini$"
+    encrypted_regex: ""
+`
+		if err := os.WriteFile(filepath.Join(tempDir, ".sops.yaml"), []byte(sopsConfig), 0o600); err != nil {
+			t.Fatalf("write .sops.yaml: %v", err)
+		}
+		if err := os.WriteFile(filepath.Join(tempDir, "app.ini"), []byte("[db]\npassword=plaintext\n"), 0o600); err != nil {
+			t.Fatalf("write app.ini: %v", err)
+		}
+
+		var stderr bytes.Buffer
+		gotExitCode := run(tempDir, &stderr)
+		if gotExitCode != exitUnencryptedValue {
+			t.Fatalf("run() exit code = %d, want %d; stderr=%q", gotExitCode, exitUnencryptedValue, stderr.String())
+		}
+		if !strings.Contains(stderr.String(), "app.ini") || !strings.Contains(stderr.String(), "unencrypted value found") {
+			t.Fatalf("run() stderr = %q, want ini violation output", stderr.String())
+		}
+	})
+
+	t.Run("ini encrypted value passes", func(t *testing.T) {
+		tempDir := t.TempDir()
+		sopsConfig := `creation_rules:
+  - path_regex: ".*\\.ini$"
+    encrypted_regex: ""
+`
+		if err := os.WriteFile(filepath.Join(tempDir, ".sops.yaml"), []byte(sopsConfig), 0o600); err != nil {
+			t.Fatalf("write .sops.yaml: %v", err)
+		}
+		if err := os.WriteFile(filepath.Join(tempDir, "app.ini"), []byte("[db]\npassword=ENC[AES256_GCM,data:abc]\n"), 0o600); err != nil {
+			t.Fatalf("write app.ini: %v", err)
+		}
+
+		var stderr bytes.Buffer
+		gotExitCode := run(tempDir, &stderr)
+		if gotExitCode != exitSuccess {
+			t.Fatalf("run() exit code = %d, want %d; stderr=%q", gotExitCode, exitSuccess, stderr.String())
+		}
+		if !strings.Contains(stderr.String(), "All files compliant") {
+			t.Fatalf("run() stderr = %q, want success summary", stderr.String())
+		}
+	})
+
+}