nixpkgs/pkgs/tools/security/kubescape/default.nix

{ lib
, buildGoModule
, fetchFromGitHub
, installShellFiles
}:

buildGoModule rec {
  pname = "kubescape";
  version = "2.0.156";

  src = fetchFromGitHub {
    owner = "armosec";
    repo = pname;
    rev = "v${version}";
    hash = "sha256-bbTafsHllJQZ9Qn+qFnlr/AdU7NgB/vAvQGIgt/XDNQ=";
  };
  vendorSha256 = "sha256-zj2gDx5333AguLs1Gzu3bYXslDwvPFSbMmOTOFxmq6A=";

  nativeBuildInputs = [
    installShellFiles
  ];

  ldflags = [
    "-s"
    "-w"
    "-X github.com/armosec/kubescape/v2/core/cautils.BuildNumber=v${version}"
  ];

  subPackages = [ "." ];

  preCheck = ''
    # Feed in all but the integration tests for testing
    # This is because subPackages above limits what is built to just what we
    # want but also limits the tests
    # Skip httphandler tests - the checkPhase doesn't care about excludedPackages
    getGoDirs() {
      go list ./... | grep -v httphandler
    }

    # remove tests that use networking
    rm core/pkg/resourcehandler/urlloader_test.go

    # remove tests that use networking
    substituteInPlace core/pkg/resourcehandler/repositoryscanner_test.go \
      --replace "TestScanRepository" "SkipScanRepository" \
      --replace "TestGit" "SkipGit"

    # remove test that requires networking
    substituteInPlace core/cautils/scaninfo_test.go \
      --replace "TestSetContextMetadata" "SkipSetContextMetadata"
  '';

  postInstall = ''
    installShellCompletion --cmd kubescape \
      --bash <($out/bin/kubescape completion bash) \
      --fish <($out/bin/kubescape completion fish) \
      --zsh <($out/bin/kubescape completion zsh)
  '';

  doInstallCheck = true;
  installCheckPhase = ''
    runHook preInstallCheck
    $out/bin/kubescape --help
    # `--version` vs `version` shows the version without checking for latest
    # if the flag is missing the BuildNumber may have moved
    $out/bin/kubescape --version | grep "v${version}"
    runHook postInstallCheck
  '';

  meta = with lib; {
    description = "Tool for testing if Kubernetes is deployed securely";
    homepage = "https://github.com/armosec/kubescape";
    changelog = "https://github.com/armosec/kubescape/releases/tag/v${version}";
    longDescription = ''
      Kubescape is the first open-source tool for testing if Kubernetes is
      deployed securely according to multiple frameworks: regulatory, customized
      company policies and DevSecOps best practices, such as the NSA-CISA and
      the MITRE ATT&CK®.
      Kubescape scans K8s clusters, YAML files, and HELM charts, and detect
      misconfigurations and software vulnerabilities at early stages of the
      CI/CD pipeline and provides a risk score instantly and risk trends over
      time. Kubescape integrates natively with other DevOps tools, including
      Jenkins, CircleCI and Github workflows.
    '';
    license = licenses.asl20;
    maintainers = with maintainers; [ fab jk ];
  };
}
kubescape: 1.0.128 -> 1.0.130 2021-11-10 10:04:07 +01:00			`{ lib`
			`, buildGoModule`
			`, fetchFromGitHub`
			`, installShellFiles`
			`}:`
kubescape: init at 1.0.64 2021-09-03 19:23:07 +02:00
			`buildGoModule rec {`
			`pname = "kubescape";`
kubescape: 2.0.155 -> 2.0.156 2022-05-27 18:02:06 +02:00			`version = "2.0.156";`
kubescape: init at 1.0.64 2021-09-03 19:23:07 +02:00
			`src = fetchFromGitHub {`
			`owner = "armosec";`
			`repo = pname;`
			`rev = "v${version}";`
kubescape: 2.0.155 -> 2.0.156 2022-05-27 18:02:06 +02:00			`hash = "sha256-bbTafsHllJQZ9Qn+qFnlr/AdU7NgB/vAvQGIgt/XDNQ=";`
kubescape: init at 1.0.64 2021-09-03 19:23:07 +02:00			`};`
kubescape: 2.0.152 -> 2.0.155 2022-05-24 10:57:34 +02:00			`vendorSha256 = "sha256-zj2gDx5333AguLs1Gzu3bYXslDwvPFSbMmOTOFxmq6A=";`
kubescape: init at 1.0.64 2021-09-03 19:23:07 +02:00
kubescape: 1.0.128 -> 1.0.130 2021-11-10 10:04:07 +01:00			`nativeBuildInputs = [`
			`installShellFiles`
			`];`

			`ldflags = [`
			`"-s"`
			`"-w"`
kubescape: 2.0.150 -> 2.0.152 2022-04-11 16:58:37 +02:00			`"-X github.com/armosec/kubescape/v2/core/cautils.BuildNumber=v${version}"`
kubescape: 1.0.128 -> 1.0.130 2021-11-10 10:04:07 +01:00			`];`
kubescape: 1.0.126 -> 1.0.127 2021-10-26 15:27:47 +02:00
kubescape: 2.0.150 -> 2.0.152 2022-04-11 16:58:37 +02:00			`subPackages = [ "." ];`

			`preCheck = ''`
			`# Feed in all but the integration tests for testing`
			`# This is because subPackages above limits what is built to just what we`
			`# want but also limits the tests`
			`# Skip httphandler tests - the checkPhase doesn't care about excludedPackages`
			`getGoDirs() {`
			`go list ./... \| grep -v httphandler`
			`}`

kubescape: 2.0.152 -> 2.0.155 2022-05-24 10:57:34 +02:00			`# remove tests that use networking`
			`rm core/pkg/resourcehandler/urlloader_test.go`

			`# remove tests that use networking`
			`substituteInPlace core/pkg/resourcehandler/repositoryscanner_test.go \`
			`--replace "TestScanRepository" "SkipScanRepository" \`
			`--replace "TestGit" "SkipGit"`

kubescape: fix darwin 2022-05-26 09:53:03 +02:00			`# remove test that requires networking`
kubescape: 2.0.152 -> 2.0.155 2022-05-24 10:57:34 +02:00			`substituteInPlace core/cautils/scaninfo_test.go \`
kubescape: fix darwin 2022-05-26 09:53:03 +02:00			`--replace "TestSetContextMetadata" "SkipSetContextMetadata"`
kubescape: 2.0.149 -> 2.0.150 2022-03-31 18:53:17 +02:00			`'';`

kubescape: 1.0.126 -> 1.0.127 2021-10-26 15:27:47 +02:00			`postInstall = ''`
			`installShellCompletion --cmd kubescape \`
			`--bash <($out/bin/kubescape completion bash) \`
			`--fish <($out/bin/kubescape completion fish) \`
			`--zsh <($out/bin/kubescape completion zsh)`
			`'';`
kubescape: init at 1.0.64 2021-09-03 19:23:07 +02:00
kubescape: 2.0.149 -> 2.0.150 2022-03-31 18:53:17 +02:00			`doInstallCheck = true;`
			`installCheckPhase = ''`
			`runHook preInstallCheck`
			`$out/bin/kubescape --help`
kubescape: 2.0.150 -> 2.0.152 2022-04-11 16:58:37 +02:00			# `--version` vs `version` shows the version without checking for latest
			`# if the flag is missing the BuildNumber may have moved`
kubescape: 2.0.149 -> 2.0.150 2022-03-31 18:53:17 +02:00			`$out/bin/kubescape --version \| grep "v${version}"`
			`runHook postInstallCheck`
			`'';`

kubescape: init at 1.0.64 2021-09-03 19:23:07 +02:00			`meta = with lib; {`
			`description = "Tool for testing if Kubernetes is deployed securely";`
			`homepage = "https://github.com/armosec/kubescape";`
kubescape: 1.0.126 -> 1.0.127 2021-10-26 15:27:47 +02:00			`changelog = "https://github.com/armosec/kubescape/releases/tag/v${version}";`
			`longDescription = ''`
			`Kubescape is the first open-source tool for testing if Kubernetes is`
			`deployed securely according to multiple frameworks: regulatory, customized`
			`company policies and DevSecOps best practices, such as the NSA-CISA and`
			`the MITRE ATT&CK®.`
			`Kubescape scans K8s clusters, YAML files, and HELM charts, and detect`
			`misconfigurations and software vulnerabilities at early stages of the`
			`CI/CD pipeline and provides a risk score instantly and risk trends over`
			`time. Kubescape integrates natively with other DevOps tools, including`
			`Jenkins, CircleCI and Github workflows.`
			`'';`
kubescape: init at 1.0.64 2021-09-03 19:23:07 +02:00			`license = licenses.asl20;`
kubescape: 1.0.126 -> 1.0.127 2021-10-26 15:27:47 +02:00			`maintainers = with maintainers; [ fab jk ];`
kubescape: init at 1.0.64 2021-09-03 19:23:07 +02:00			`};`
			`}`