tjh.dev / nixpkgs
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
fork atom
nixpkgs / pkgs / development / tools / analysis / checkov / default.nix
at litex 172 lines 3.7 kB view raw
1{ lib 2, fetchFromGitHub 3, python3 4}: 5 6let 7 py = python3.override { 8 packageOverrides = self: super: { 9 cyclonedx-python-lib = super.cyclonedx-python-lib.overridePythonAttrs (oldAttrs: rec { 10 version = "2.7.1"; 11 src = fetchFromGitHub { 12 owner = "CycloneDX"; 13 repo = "cyclonedx-python-lib"; 14 rev = "v${version}"; 15 hash = "sha256-c/KhoJOa121/h0n0GUazjUFChnUo05ThD+fuZXc5/Pk="; 16 }; 17 }); 18 }; 19 }; 20in 21with py.pkgs; 22 23buildPythonApplication rec { 24 pname = "checkov"; 25 version = "2.3.288"; 26 format = "setuptools"; 27 28 src = fetchFromGitHub { 29 owner = "bridgecrewio"; 30 repo = pname; 31 rev = "refs/tags/${version}"; 32 hash = "sha256-m/AZfHT9ZW4K82WHxlj1iddh+Na4+Rvwgl46fdHRVhA="; 33 }; 34 35 patches = [ 36 ./flake8-compat-5.x.patch 37 ]; 38 39 pythonRelaxDeps = [ 40 "bc-detect-secrets" 41 "bc-python-hcl2" 42 "dpath" 43 "license-expression" 44 "networkx" 45 "pycep-parser" 46 ]; 47 48 nativeBuildInputs = [ 49 pythonRelaxDepsHook 50 setuptools-scm 51 ]; 52 53 propagatedBuildInputs = [ 54 aiodns 55 aiohttp 56 aiomultiprocess 57 argcomplete 58 bc-detect-secrets 59 bc-jsonpath-ng 60 bc-python-hcl2 61 boto3 62 cachetools 63 charset-normalizer 64 cloudsplaining 65 colorama 66 configargparse 67 cyclonedx-python-lib 68 deep_merge 69 docker 70 dockerfile-parse 71 dpath 72 flake8 73 gitpython 74 igraph 75 jmespath 76 jsonschema 77 junit-xml 78 license-expression 79 networkx 80 openai 81 packaging 82 policyuniverse 83 prettytable 84 pycep-parser 85 pyyaml 86 semantic-version 87 spdx-tools 88 tabulate 89 termcolor 90 tqdm 91 typing-extensions 92 update_checker 93 ]; 94 95 nativeCheckInputs = [ 96 aioresponses 97 mock 98 pytest-asyncio 99 pytest-mock 100 pytest-xdist 101 pytestCheckHook 102 responses 103 ]; 104 105 preCheck = '' 106 export HOME=$(mktemp -d); 107 ''; 108 109 disabledTests = [ 110 # No API key available 111 "api_key" 112 # Requires network access 113 "TestSarifReport" 114 "test_skip_mapping_default" 115 # Flake8 test 116 "test_file_with_class" 117 "test_dataclass_skip" 118 "test_typing_class_skip" 119 # Tests are comparing console output 120 "cli" 121 "console" 122 # Starting to fail after 2.3.205 123 "test_non_multiline_pair" 124 "test_secret_value_in_keyword" 125 "test_runner_verify_secrets_skip_invalid_suppressed" 126 "test_runner_verify_secrets_skip_all_no_effect" 127 "test_runner" 128 ]; 129 130 disabledTestPaths = [ 131 # Tests are pulling from external sources 132 # https://github.com/bridgecrewio/checkov/blob/f03a4204d291cf47e3753a02a9b8c8d805bbd1be/.github/workflows/build.yml 133 "integration_tests/" 134 "tests/ansible/" 135 "tests/arm/" 136 "tests/bicep/" 137 "tests/cloudformation/" 138 "tests/common/" 139 "tests/dockerfile/" 140 "tests/generic_json/" 141 "tests/generic_yaml/" 142 "tests/github_actions/" 143 "tests/github/" 144 "tests/kubernetes/" 145 "tests/sca_package_2" 146 "tests/terraform/" 147 # Performance tests have no value for us 148 "performance_tests/test_checkov_performance.py" 149 # No Helm 150 "dogfood_tests/test_checkov_dogfood.py" 151 ]; 152 153 pythonImportsCheck = [ 154 "checkov" 155 ]; 156 157 postInstall = '' 158 chmod +x $out/bin/checkov 159 ''; 160 161 meta = with lib; { 162 description = "Static code analysis tool for infrastructure-as-code"; 163 homepage = "https://github.com/bridgecrewio/checkov"; 164 changelog = "https://github.com/bridgecrewio/checkov/releases/tag/${version}"; 165 longDescription = '' 166 Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, 167 Kubernetes, Serverless framework and other infrastructure-as-code-languages. 168 ''; 169 license = licenses.asl20; 170 maintainers = with maintainers; [ anhdle14 fab ]; 171 }; 172}