tjh.dev / nixpkgs
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
fork atom
nixpkgs / pkgs / by-name / sy / sysdig-cli-scanner / package.nix
at devShellTools-shell 2.4 kB view raw
1{ 2 stdenv, 3 lib, 4 fetchurl, 5 writeShellScript, 6}: 7let 8 versionMetadata = import ./sysdig-cli-scanner.versions.nix; 9 fetchForSystem = versionMetadata.${stdenv.system} or (throw "unsupported system ${stdenv.system}"); 10 11 wrapper = writeShellScript "sysdig-cli-scanner-wrapper" '' 12 for arg in "$@"; do 13 # We must not pass --dbpath to the cli in case it has been called with --iac 14 # IaC Scanning does not make use of the vulnerability database 15 if [ "$arg" = "--iac" ]; then 16 exec @out@/libexec/sysdig-cli-scanner-unwrapped "$@" 17 fi 18 done 19 20 # --dbpath argument is needed for vulnerability scanning mode, otherwise it tries to download 21 # the vulnerability database in the same path as the binary, which is read-only in the case of the 22 # nix store 23 exec @out@/libexec/sysdig-cli-scanner-unwrapped \ 24 --dbpath="$HOME/.cache/sysdig-cli-scanner/" "$@" 25 ''; 26in 27stdenv.mkDerivation { 28 pname = "sysdig-cli-scanner"; 29 version = versionMetadata.version; 30 31 src = fetchurl { inherit (fetchForSystem) url hash; }; 32 dontUnpack = true; 33 34 installPhase = '' 35 runHook preInstall 36 37 install -Dm755 -T $src $out/libexec/sysdig-cli-scanner-unwrapped 38 install -Dm755 -T ${wrapper} $out/bin/sysdig-cli-scanner 39 substituteInPlace $out/bin/sysdig-cli-scanner --subst-var out 40 41 runHook postInstall 42 ''; 43 44 passthru.updateScript = ./update.sh; 45 46 meta = with lib; { 47 description = "Tool for scanning container images and directories using Sysdig"; 48 longDescription = '' 49 The Sysdig Vulnerability CLI Scanner, sysdig-cli-scanner, is a versatile tool designed to 50 manually scan container images and directories, whether they are located locally or remotely. 51 Depending on your specific use case, you have the flexibility to execute sysdig-cli-scanner 52 in Vulnerability Management (VM) mode for image scanning or Infrastructure as Code (IaC) mode 53 for scanning directories. 54 ''; 55 homepage = "https://docs.sysdig.com/en/docs/installation/sysdig-secure/install-vulnerability-cli-scanner/"; 56 mainProgram = "sysdig-cli-scanner"; 57 license = licenses.unfreeRedistributable; 58 maintainers = with maintainers; [ tembleking ]; 59 platforms = [ 60 "x86_64-linux" 61 "aarch64-linux" 62 "x86_64-darwin" 63 "aarch64-darwin" 64 ]; 65 sourceProvenance = with sourceTypes; [ binaryNativeCode ]; 66 }; 67}