diff options
Diffstat (limited to 'nixpkgs/pkgs/development/tools/analysis/checkov/default.nix')
-rw-r--r-- | nixpkgs/pkgs/development/tools/analysis/checkov/default.nix | 164 |
1 files changed, 164 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/development/tools/analysis/checkov/default.nix b/nixpkgs/pkgs/development/tools/analysis/checkov/default.nix new file mode 100644 index 000000000000..3d6b7b06ac83 --- /dev/null +++ b/nixpkgs/pkgs/development/tools/analysis/checkov/default.nix @@ -0,0 +1,164 @@ +{ lib +, fetchFromGitHub +, python3 +}: + +python3.pkgs.buildPythonApplication rec { + pname = "checkov"; + version = "3.1.66"; + pyproject = true; + + src = fetchFromGitHub { + owner = "bridgecrewio"; + repo = "checkov"; + rev = "refs/tags/${version}"; + hash = "sha256-hvl29/K4qHvDiXM0Ufmi3ExMq+2JXQbSzaFYCCP0OhU="; + }; + + patches = [ + ./flake8-compat-5.x.patch + ]; + + pythonRelaxDeps = [ + "bc-detect-secrets" + "bc-python-hcl2" + "dpath" + "igraph" + "license-expression" + "networkx" + "openai" + "pycep-parser" + "termcolor" + ]; + + pythonRemoveDeps = [ + # pythonRelaxDeps doesn't work with that one + "pycep-parser" + ]; + + nativeBuildInputs = with python3.pkgs; [ + pythonRelaxDepsHook + setuptools-scm + ]; + + propagatedBuildInputs = with python3.pkgs; [ + aiodns + aiohttp + aiomultiprocess + argcomplete + bc-detect-secrets + bc-jsonpath-ng + bc-python-hcl2 + boto3 + cachetools + charset-normalizer + cloudsplaining + colorama + configargparse + cyclonedx-python-lib + docker + dockerfile-parse + dpath + flake8 + gitpython + igraph + jmespath + jsonschema + junit-xml + license-expression + networkx + openai + packaging + policyuniverse + prettytable + pycep-parser + pyyaml + pydantic + rustworkx + semantic-version + spdx-tools + tabulate + termcolor + tqdm + typing-extensions + update-checker + ]; + + nativeCheckInputs = with python3.pkgs; [ + aioresponses + mock + pytest-asyncio + pytest-mock + pytest-xdist + pytestCheckHook + responses + ]; + + preCheck = '' + export HOME=$(mktemp -d); + ''; + + disabledTests = [ + # No API key available + "api_key" + # Requires network access + "TestSarifReport" + "test_skip_mapping_default" + # Flake8 test + "test_file_with_class" + "test_dataclass_skip" + "test_typing_class_skip" + # Tests are comparing console output + "cli" + "console" + # Assertion error + "test_runner" + # AssertionError: assert ['<?xml versi... + "test_get_cyclonedx_report" + ]; + + disabledTestPaths = [ + # Tests are pulling from external sources + # https://github.com/bridgecrewio/checkov/blob/f03a4204d291cf47e3753a02a9b8c8d805bbd1be/.github/workflows/build.yml + "integration_tests/" + "tests/ansible/" + "tests/arm/" + "tests/bicep/" + "tests/cloudformation/" + "tests/common/" + "tests/dockerfile/" + "tests/generic_json/" + "tests/generic_yaml/" + "tests/github_actions/" + "tests/github/" + "tests/kubernetes/" + "tests/sca_package_2" + "tests/terraform/" + "cdk_integration_tests/" + "sast_integration_tests" + # Performance tests have no value for us + "performance_tests/test_checkov_performance.py" + # No Helm + "dogfood_tests/test_checkov_dogfood.py" + ]; + + pythonImportsCheck = [ + "checkov" + ]; + + postInstall = '' + chmod +x $out/bin/checkov + ''; + + meta = with lib; { + description = "Static code analysis tool for infrastructure-as-code"; + homepage = "https://github.com/bridgecrewio/checkov"; + changelog = "https://github.com/bridgecrewio/checkov/releases/tag/${version}"; + longDescription = '' + Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, + Kubernetes, Serverless framework and other infrastructure-as-code-languages. + ''; + license = licenses.asl20; + maintainers = with maintainers; [ anhdle14 fab ]; + }; +} |