nixpkgs/pkgs/development/tools/analysis/checkov/default.nix
2021-01-15 03:26:38 +09:00

78 lines
2.0 KiB
Nix

{ stdenv, pkgs, lib, python3, fetchFromGitHub }:
let
pname = "checkov";
version = "1.0.674";
src = fetchFromGitHub {
owner = "bridgecrewio";
repo = pname;
rev = version;
sha256 = "/S8ic5ZVxA2vd/rjRPX5gslbmnULL7BSx34vgWIsheQ=";
};
disabled = pkgs.python3Packages.pythonOlder "3.7";
# CheckOV only work with `dpath 1.5.0`
dpath = pkgs.python3Packages.buildPythonPackage rec {
pname = "dpath";
version = "1.5.0";
src = pkgs.python3Packages.fetchPypi {
inherit pname version;
sha256 = "SWYVtOqEI20Y4NKGEi3nSGmmDg+H4sfsZ4f/KGxINhs=";
};
doCheck = false;
};
in
python3.pkgs.buildPythonPackage rec {
inherit pname version disabled src;
nativeBuildInputs = with python3.pkgs; [ setuptools_scm ];
propagatedBuildInputs = with python3.pkgs; [
pytest
coverage
bandit
bc-python-hcl2
deep_merge
tabulate
colorama
termcolor
junit-xml
dpath
pyyaml
boto3
GitPython
six
jmespath
tqdm
update_checker
semantic-version
packaging
];
# Both of these tests are pulling from external srouces (https://github.com/bridgecrewio/checkov/blob/f03a4204d291cf47e3753a02a9b8c8d805bbd1be/.github/workflows/build.yml)
preCheck = ''
rm -rf integration_tests/*
rm -rf tests/terraform/*
'';
# Wrap the executable so that the python packages are available
# it's just a shebang script which calls `python -m checkov "$@"`
postFixup = ''
wrapProgram $out/bin/checkov \
--set PYTHONPATH $PYTHONPATH
'';
meta = with lib; {
homepage = "https://github.com/bridgecrewio/checkov";
description = "Static code analysis tool for infrastructure-as-code";
longDescription = ''
Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.
'';
license = licenses.asl20;
maintainers = with maintainers; [ anhdle14 ];
};
}