tjh.dev / nixpkgs
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
fork atom
nixpkgs / pkgs / tools / security / kubescape / default.nix
at netboot-syslinux-multiplatform 90 lines 2.8 kB view raw
1{ lib 2, buildGoModule 3, fetchFromGitHub 4, installShellFiles 5}: 6 7buildGoModule rec { 8 pname = "kubescape"; 9 version = "2.3.4"; 10 11 src = fetchFromGitHub { 12 owner = "kubescape"; 13 repo = pname; 14 rev = "refs/tags/v${version}"; 15 hash = "sha256-REUB7EsRZtgOImMaGyX2UGwWjTYZGfrIlwPNHV0NjbU="; 16 fetchSubmodules = true; 17 }; 18 19 vendorHash = "sha256-VLEyfnLyXujzMQd/HBfjQ6MQcM/hav0SCEl3G2lxKbo="; 20 21 nativeBuildInputs = [ 22 installShellFiles 23 ]; 24 25 ldflags = [ 26 "-s" 27 "-w" 28 "-X github.com/kubescape/kubescape/v2/core/cautils.BuildNumber=v${version}" 29 ]; 30 31 subPackages = [ "." ]; 32 33 preCheck = '' 34 # Feed in all but the integration tests for testing 35 # This is because subPackages above limits what is built to just what we 36 # want but also limits the tests 37 # Skip httphandler tests - the checkPhase doesn't care about excludedPackages 38 getGoDirs() { 39 go list ./... | grep -v httphandler 40 } 41 42 # remove tests that use networking 43 rm core/pkg/resourcehandler/urlloader_test.go 44 rm core/pkg/opaprocessor/*_test.go 45 46 # remove tests that use networking 47 substituteInPlace core/pkg/resourcehandler/repositoryscanner_test.go \ 48 --replace "TestScanRepository" "SkipScanRepository" \ 49 --replace "TestGit" "SkipGit" 50 51 # remove test that requires networking 52 substituteInPlace core/cautils/scaninfo_test.go \ 53 --replace "TestSetContextMetadata" "SkipSetContextMetadata" 54 ''; 55 56 postInstall = '' 57 installShellCompletion --cmd kubescape \ 58 --bash <($out/bin/kubescape completion bash) \ 59 --fish <($out/bin/kubescape completion fish) \ 60 --zsh <($out/bin/kubescape completion zsh) 61 ''; 62 63 doInstallCheck = true; 64 65 installCheckPhase = '' 66 runHook preInstallCheck 67 $out/bin/kubescape --help 68 $out/bin/kubescape version | grep "v${version}" 69 runHook postInstallCheck 70 ''; 71 72 meta = with lib; { 73 description = "Tool for testing if Kubernetes is deployed securely"; 74 homepage = "https://github.com/kubescape/kubescape"; 75 changelog = "https://github.com/kubescape/kubescape/releases/tag/v${version}"; 76 longDescription = '' 77 Kubescape is the first open-source tool for testing if Kubernetes is 78 deployed securely according to multiple frameworks: regulatory, customized 79 company policies and DevSecOps best practices, such as the NSA-CISA and 80 the MITRE ATT&CK®. 81 Kubescape scans K8s clusters, YAML files, and HELM charts, and detect 82 misconfigurations and software vulnerabilities at early stages of the 83 CI/CD pipeline and provides a risk score instantly and risk trends over 84 time. Kubescape integrates natively with other DevOps tools, including 85 Jenkins, CircleCI and Github workflows. 86 ''; 87 license = licenses.asl20; 88 maintainers = with maintainers; [ fab jk ]; 89 }; 90}