nixpkgs/pkgs/tools/security/kubescape/default.nix

{ lib
, buildGoModule
, fetchFromGitHub
, installShellFiles
, kubescape
, testers
}:

buildGoModule rec {
  pname = "kubescape";
  version = "2.9.1";

  src = fetchFromGitHub {
    owner = "kubescape";
    repo = pname;
    rev = "refs/tags/v${version}";
    hash = "sha256-FKWR3pxFtJBEa14Mn3RKsLvrliHaj6TuF4F2JLtw2qA=";
    fetchSubmodules = true;
  };

  vendorHash = "sha256-zcv8oYm6srwkwT3pUECtTewyqVVpCIcs3i0VRTRft68=";

  nativeBuildInputs = [
    installShellFiles
  ];

  ldflags = [
    "-s"
    "-w"
    "-X=github.com/kubescape/kubescape/v2/core/cautils.BuildNumber=v${version}"
  ];

  subPackages = [ "." ];

  preCheck = ''
    # Feed in all but the integration tests for testing
    # This is because subPackages above limits what is built to just what we
    # want but also limits the tests
    # Skip httphandler tests - the checkPhase doesn't care about excludedPackages
    getGoDirs() {
      go list ./... | grep -v httphandler
    }

    # remove tests that use networking
    rm core/pkg/resourcehandler/urlloader_test.go
    rm core/pkg/opaprocessor/*_test.go
    rm core/cautils/getter/downloadreleasedpolicy_test.go

    # remove tests that use networking
    substituteInPlace core/pkg/resourcehandler/repositoryscanner_test.go \
      --replace "TestScanRepository" "SkipScanRepository" \
      --replace "TestGit" "SkipGit"

    # remove test that requires networking
    substituteInPlace core/cautils/scaninfo_test.go \
      --replace "TestSetContextMetadata" "SkipSetContextMetadata"
  '';

  postInstall = ''
    installShellCompletion --cmd kubescape \
      --bash <($out/bin/kubescape completion bash) \
      --fish <($out/bin/kubescape completion fish) \
      --zsh <($out/bin/kubescape completion zsh)
  '';

  passthru.tests.version = testers.testVersion {
    package = kubescape;
    command = "kubescape version";
    version = "v${version}";
  };

  meta = with lib; {
    description = "Tool for testing if Kubernetes is deployed securely";
    homepage = "https://github.com/kubescape/kubescape";
    changelog = "https://github.com/kubescape/kubescape/releases/tag/v${version}";
    longDescription = ''
      Kubescape is the first open-source tool for testing if Kubernetes is
      deployed securely according to multiple frameworks: regulatory, customized
      company policies and DevSecOps best practices, such as the NSA-CISA and
      the MITRE ATT&CK®.
      Kubescape scans K8s clusters, YAML files, and HELM charts, and detect
      misconfigurations and software vulnerabilities at early stages of the
      CI/CD pipeline and provides a risk score instantly and risk trends over
      time. Kubescape integrates natively with other DevOps tools, including
      Jenkins, CircleCI and Github workflows.
    '';
    license = licenses.asl20;
    maintainers = with maintainers; [ fab jk ];
  };
}
kubescape: 1.0.128 -> 1.0.130 2021-11-10 09:04:07 +00:00			`{ lib`
			`, buildGoModule`
			`, fetchFromGitHub`
			`, installShellFiles`
kubescape: 2.9.0 -> 2.9.1 Diff: https://github.com/kubescape/kubescape/compare/refs/tags/v2.9.0...v2.9.1 Changelog: https://github.com/kubescape/kubescape/releases/tag/v2.9.1 2023-09-05 18:27:41 +00:00			`, kubescape`
			`, testers`
kubescape: 1.0.128 -> 1.0.130 2021-11-10 09:04:07 +00:00			`}:`
kubescape: init at 1.0.64 2021-09-03 17:23:07 +00:00
			`buildGoModule rec {`
			`pname = "kubescape";`
kubescape: 2.9.0 -> 2.9.1 Diff: https://github.com/kubescape/kubescape/compare/refs/tags/v2.9.0...v2.9.1 Changelog: https://github.com/kubescape/kubescape/releases/tag/v2.9.1 2023-09-05 18:27:41 +00:00			`version = "2.9.1";`
kubescape: init at 1.0.64 2021-09-03 17:23:07 +00:00
			`src = fetchFromGitHub {`
kubescape: 2.2.3 -> 2.2.4 Diff: https://github.com/kubescape/kubescape.git/compare/refs/tags/v2.2.3...v2.2.4 Changelog: https://github.com/kubescape/kubescape/releases/tag/v2.2.4 2023-03-08 00:26:48 +00:00			`owner = "kubescape";`
kubescape: init at 1.0.64 2021-09-03 17:23:07 +00:00			`repo = pname;`
kubescape: 2.0.161 -> 2.2.3 Diff: https://github.com/armosec/kubescape.git/compare/refs/tags/v2.0.161...v2.2.3 Changelog: https://github.com/armosec/kubescape/releases/tag/v2.2.3 2023-03-05 19:48:59 +00:00			`rev = "refs/tags/v${version}";`
kubescape: 2.9.0 -> 2.9.1 Diff: https://github.com/kubescape/kubescape/compare/refs/tags/v2.9.0...v2.9.1 Changelog: https://github.com/kubescape/kubescape/releases/tag/v2.9.1 2023-09-05 18:27:41 +00:00			`hash = "sha256-FKWR3pxFtJBEa14Mn3RKsLvrliHaj6TuF4F2JLtw2qA=";`
kubescape: 2.0.161 -> 2.2.3 Diff: https://github.com/armosec/kubescape.git/compare/refs/tags/v2.0.161...v2.2.3 Changelog: https://github.com/armosec/kubescape/releases/tag/v2.2.3 2023-03-05 19:48:59 +00:00			`fetchSubmodules = true;`
kubescape: init at 1.0.64 2021-09-03 17:23:07 +00:00			`};`
kubescape: 2.0.161 -> 2.2.3 Diff: https://github.com/armosec/kubescape.git/compare/refs/tags/v2.0.161...v2.2.3 Changelog: https://github.com/armosec/kubescape/releases/tag/v2.2.3 2023-03-05 19:48:59 +00:00
kubescape: 2.9.0 -> 2.9.1 Diff: https://github.com/kubescape/kubescape/compare/refs/tags/v2.9.0...v2.9.1 Changelog: https://github.com/kubescape/kubescape/releases/tag/v2.9.1 2023-09-05 18:27:41 +00:00			`vendorHash = "sha256-zcv8oYm6srwkwT3pUECtTewyqVVpCIcs3i0VRTRft68=";`
kubescape: init at 1.0.64 2021-09-03 17:23:07 +00:00
kubescape: 1.0.128 -> 1.0.130 2021-11-10 09:04:07 +00:00			`nativeBuildInputs = [`
			`installShellFiles`
			`];`

			`ldflags = [`
			`"-s"`
			`"-w"`
kubescape: 2.3.6 -> 2.9.0 Diff: https://github.com/kubescape/kubescape/compare/refs/tags/v2.3.6...v2.9.0 Changelog: https://github.com/kubescape/kubescape/releases/tag/v2.9.0 2023-08-17 07:23:04 +00:00			`"-X=github.com/kubescape/kubescape/v2/core/cautils.BuildNumber=v${version}"`
kubescape: 1.0.128 -> 1.0.130 2021-11-10 09:04:07 +00:00			`];`
kubescape: 1.0.126 -> 1.0.127 2021-10-26 13:27:47 +00:00
kubescape: 2.0.150 -> 2.0.152 2022-04-11 14:58:37 +00:00			`subPackages = [ "." ];`

			`preCheck = ''`
			`# Feed in all but the integration tests for testing`
			`# This is because subPackages above limits what is built to just what we`
			`# want but also limits the tests`
			`# Skip httphandler tests - the checkPhase doesn't care about excludedPackages`
			`getGoDirs() {`
			`go list ./... \| grep -v httphandler`
			`}`

kubescape: 2.0.152 -> 2.0.155 2022-05-24 08:57:34 +00:00			`# remove tests that use networking`
			`rm core/pkg/resourcehandler/urlloader_test.go`
kubescape: 2.0.161 -> 2.2.3 Diff: https://github.com/armosec/kubescape.git/compare/refs/tags/v2.0.161...v2.2.3 Changelog: https://github.com/armosec/kubescape/releases/tag/v2.2.3 2023-03-05 19:48:59 +00:00			`rm core/pkg/opaprocessor/*_test.go`
kubescape: 2.3.6 -> 2.9.0 Diff: https://github.com/kubescape/kubescape/compare/refs/tags/v2.3.6...v2.9.0 Changelog: https://github.com/kubescape/kubescape/releases/tag/v2.9.0 2023-08-17 07:23:04 +00:00			`rm core/cautils/getter/downloadreleasedpolicy_test.go`
kubescape: 2.0.152 -> 2.0.155 2022-05-24 08:57:34 +00:00
			`# remove tests that use networking`
			`substituteInPlace core/pkg/resourcehandler/repositoryscanner_test.go \`
			`--replace "TestScanRepository" "SkipScanRepository" \`
			`--replace "TestGit" "SkipGit"`

kubescape: fix darwin 2022-05-26 07:53:03 +00:00			`# remove test that requires networking`
kubescape: 2.0.152 -> 2.0.155 2022-05-24 08:57:34 +00:00			`substituteInPlace core/cautils/scaninfo_test.go \`
kubescape: fix darwin 2022-05-26 07:53:03 +00:00			`--replace "TestSetContextMetadata" "SkipSetContextMetadata"`
kubescape: 2.0.149 -> 2.0.150 2022-03-31 16:53:17 +00:00			`'';`

kubescape: 1.0.126 -> 1.0.127 2021-10-26 13:27:47 +00:00			`postInstall = ''`
			`installShellCompletion --cmd kubescape \`
			`--bash <($out/bin/kubescape completion bash) \`
			`--fish <($out/bin/kubescape completion fish) \`
			`--zsh <($out/bin/kubescape completion zsh)`
			`'';`
kubescape: init at 1.0.64 2021-09-03 17:23:07 +00:00
kubescape: 2.9.0 -> 2.9.1 Diff: https://github.com/kubescape/kubescape/compare/refs/tags/v2.9.0...v2.9.1 Changelog: https://github.com/kubescape/kubescape/releases/tag/v2.9.1 2023-09-05 18:27:41 +00:00			`passthru.tests.version = testers.testVersion {`
			`package = kubescape;`
			`command = "kubescape version";`
			`version = "v${version}";`
			`};`
kubescape: 2.2.3 -> 2.2.4 Diff: https://github.com/kubescape/kubescape.git/compare/refs/tags/v2.2.3...v2.2.4 Changelog: https://github.com/kubescape/kubescape/releases/tag/v2.2.4 2023-03-08 00:26:48 +00:00
kubescape: init at 1.0.64 2021-09-03 17:23:07 +00:00			`meta = with lib; {`
			`description = "Tool for testing if Kubernetes is deployed securely";`
kubescape: 2.2.3 -> 2.2.4 Diff: https://github.com/kubescape/kubescape.git/compare/refs/tags/v2.2.3...v2.2.4 Changelog: https://github.com/kubescape/kubescape/releases/tag/v2.2.4 2023-03-08 00:26:48 +00:00			`homepage = "https://github.com/kubescape/kubescape";`
			`changelog = "https://github.com/kubescape/kubescape/releases/tag/v${version}";`
kubescape: 1.0.126 -> 1.0.127 2021-10-26 13:27:47 +00:00			`longDescription = ''`
			`Kubescape is the first open-source tool for testing if Kubernetes is`
			`deployed securely according to multiple frameworks: regulatory, customized`
			`company policies and DevSecOps best practices, such as the NSA-CISA and`
			`the MITRE ATT&CK®.`
			`Kubescape scans K8s clusters, YAML files, and HELM charts, and detect`
			`misconfigurations and software vulnerabilities at early stages of the`
			`CI/CD pipeline and provides a risk score instantly and risk trends over`
			`time. Kubescape integrates natively with other DevOps tools, including`
			`Jenkins, CircleCI and Github workflows.`
			`'';`
kubescape: init at 1.0.64 2021-09-03 17:23:07 +00:00			`license = licenses.asl20;`
kubescape: 1.0.126 -> 1.0.127 2021-10-26 13:27:47 +00:00			`maintainers = with maintainers; [ fab jk ];`
kubescape: init at 1.0.64 2021-09-03 17:23:07 +00:00			`};`
			`}`