Reduce public API surface

.github/workflows/rego.yaml

@@ -29,4 +29,4 @@ jobs:
           version: latest
 
       - name: Run OPA Tests
-        run: opa test classification/labels/*.rego -v
+        run: opa test ./classification/labels/*.rego -v

Makefile

@@ -15,3 +15,12 @@ integration-test:
 
 clean:
 	go clean -i ./...
+
+opt-fmt:
+	opa fmt --write ./classification/labels
+
+opa-lint:
+	regal lint --disable=line-length ./classification/labels/
+
+opa-test:
+	opa test ./classification/labels/*.rego -v

classification/label.go

@@ -50,7 +50,10 @@ func NewLabel(name, description, classificationRule string, tags ...string) (Lab
 
 // GetEmbeddedLabels returns the predefined embedded labels and their
 // classification rules. The labels are read from the embedded labels.yaml file
-// and the classification rules are read from the embedded Rego files.
+// and the classification rules are read from the embedded Rego files. If there
+// is an error unmarshalling the labels file, it is returned. If there is an
+// error reading or parsing a classification rule for a label, a warning is
+// logged and that label is skipped.
 func GetEmbeddedLabels() ([]Label, error) {
 	labels := struct {
 		Labels map[string]Label `yaml:"labels"`
@@ -62,11 +65,13 @@ func GetEmbeddedLabels() ([]Label, error) {
 		fname := "labels/" + strings.ReplaceAll(strings.ToLower(name), " ", "_") + ".rego"
 		b, err := regoFs.ReadFile(fname)
 		if err != nil {
-			return nil, fmt.Errorf("error reading rego file %s: %w", fname, err)
+			log.WithError(err).Warnf("error reading rego file %s", fname)
+			continue
 		}
 		rule, err := parseRego(string(b))
 		if err != nil {
-			return nil, fmt.Errorf("error preparing classification rule for label %s: %w", lbl.Name, err)
+			log.WithError(err).Warnf("error parsing classification rule for label %s", lbl.Name)
+			continue
 		}
 		lbl.Name = name
 		lbl.ClassificationRule = rule

classification/label_classifier.go

@@ -18,7 +18,6 @@ type LabelClassifier struct {
 var _ Classifier = (*LabelClassifier)(nil)
 
 // NewLabelClassifier creates a new LabelClassifier with the provided labels.
-//
 func NewLabelClassifier(labels ...Label) (*LabelClassifier, error) {
 	if len(labels) == 0 {
 		return nil, fmt.Errorf("labels cannot be empty")
@@ -27,7 +26,7 @@ func NewLabelClassifier(labels ...Label) (*LabelClassifier, error) {
 	for _, lbl := range labels {
 		queries[lbl.Name] = rego.New(
 			// We only care about the 'output' variable.
-			rego.Query(lbl.ClassificationRule.Package.Path.String() + ".output"),
+			rego.Query(lbl.ClassificationRule.Package.Path.String()+".output"),
 			rego.ParsedModule(lbl.ClassificationRule),
 		)
 	}

cmd/main.go

@@ -64,7 +64,7 @@ func main() {
 	ctx := kong.Parse(
 		&cli,
 		kong.Name("dmap"),
-		kong.Description("Assess your data security posture in AWS."),
+		kong.Description("Discover your data repositories and classify their sensitive data."),
 		kong.UsageOnError(),
 		kong.ConfigureHelp(
 			kong.HelpOptions{

cmd/repo_scan.go

@@ -53,6 +53,7 @@ func (g GlobFlag) Decode(ctx *kong.DecodeContext) error {
 
 func (cmd *RepoScanCmd) Run(_ *Globals) error {
 	ctx := context.Background()
+	// Configure and instantiate the scanner.
 	cfg := sql.ScannerConfig{
 		RepoType: cmd.Type,
 		RepoConfig: sql.RepoConfig{
@@ -73,15 +74,17 @@ func (cmd *RepoScanCmd) Run(_ *Globals) error {
 	if err != nil {
 		return fmt.Errorf("error creating new scanner: %w", err)
 	}
+	// Scan the repository.
 	results, err := scanner.Scan(ctx)
 	if err != nil {
 		return fmt.Errorf("error scanning repository: %w", err)
 	}
+	// Print the results to stdout.
 	jsonResults, err := json.MarshalIndent(results, "", "    ")
 	if err != nil {
 		return fmt.Errorf("error marshalling results: %w", err)
 	}
 	fmt.Println(string(jsonResults))
-	// TODO: publish results to API -ccampo 2024-04-03
+	// TODO: publish results to the API -ccampo 2024-04-03
 	return nil
 }

scan/scanner.go

@@ -27,7 +27,7 @@ type RepoScanResults struct {
 	Classifications []Classification       `json:"classifications"`
 }
 
-// TODO: godoc -ccampo 2024-04-03
+// Classification represents the classification of a data repository attribute.
 type Classification struct {
 	// AttributePath is the full path of the data repository attribute
 	// (e.g. the column). Each element corresponds to a component, in increasing