| blob | d98e8a89896c1219a0a8266f7271c285a5a1f825 |
1 { lib
2 , fetchFromGitHub
3 , python3
4 }:
6 python3.pkgs.buildPythonApplication rec {
7 pname = "checkov";
8 version = "3.0.40";
9 pyproject = true;
11 src = fetchFromGitHub {
12 owner = "bridgecrewio";
13 repo = "checkov";
14 rev = "refs/tags/${version}";
15 hash = "sha256-L7D29npEUSy9lO3RF5rJ9apQoZjWhC45D0c+7/5/8r0=";
16 };
18 patches = [
19 ./flake8-compat-5.x.patch
20 ];
22 pythonRelaxDeps = [
23 "bc-detect-secrets"
24 "bc-python-hcl2"
25 "dpath"
26 "license-expression"
27 "networkx"
28 "pycep-parser"
29 ];
31 nativeBuildInputs = with python3.pkgs; [
32 pythonRelaxDepsHook
33 setuptools-scm
34 ];
36 propagatedBuildInputs = with python3.pkgs; [
37 aiodns
38 aiohttp
39 aiomultiprocess
40 argcomplete
41 bc-detect-secrets
42 bc-jsonpath-ng
43 bc-python-hcl2
44 boto3
45 cachetools
46 charset-normalizer
47 cloudsplaining
48 colorama
49 configargparse
50 cyclonedx-python-lib
51 docker
52 dockerfile-parse
53 dpath
54 flake8
55 gitpython
56 igraph
57 jmespath
58 jsonschema
59 junit-xml
60 license-expression
61 networkx
62 openai
63 packaging
64 policyuniverse
65 prettytable
66 pycep-parser
67 pyyaml
68 pydantic
69 rustworkx
70 semantic-version
71 spdx-tools
72 tabulate
73 termcolor
74 tqdm
75 typing-extensions
76 update_checker
77 ];
79 nativeCheckInputs = with python3.pkgs; [
80 aioresponses
81 mock
82 pytest-asyncio
83 pytest-mock
84 pytest-xdist
85 pytestCheckHook
86 responses
87 ];
89 preCheck = ''
90 export HOME=$(mktemp -d);
91 '';
93 disabledTests = [
94 # No API key available
95 "api_key"
96 # Requires network access
97 "TestSarifReport"
98 "test_skip_mapping_default"
99 # Flake8 test
100 "test_file_with_class"
101 "test_dataclass_skip"
102 "test_typing_class_skip"
103 # Tests are comparing console output
104 "cli"
105 "console"
106 # Assertion error
107 "test_runner"
108 # AssertionError: assert ['<?xml versi...
109 "test_get_cyclonedx_report"
110 ];
112 disabledTestPaths = [
113 # Tests are pulling from external sources
114 # https://github.com/bridgecrewio/checkov/blob/f03a4204d291cf47e3753a02a9b8c8d805bbd1be/.github/workflows/build.yml
115 "integration_tests/"
116 "tests/ansible/"
117 "tests/arm/"
118 "tests/bicep/"
119 "tests/cloudformation/"
120 "tests/common/"
121 "tests/dockerfile/"
122 "tests/generic_json/"
123 "tests/generic_yaml/"
124 "tests/github_actions/"
125 "tests/github/"
126 "tests/kubernetes/"
127 "tests/sca_package_2"
128 "tests/terraform/"
129 "cdk_integration_tests/"
130 "sast_integration_tests"
131 # Performance tests have no value for us
132 "performance_tests/test_checkov_performance.py"
133 # No Helm
134 "dogfood_tests/test_checkov_dogfood.py"
135 ];
137 pythonImportsCheck = [
138 "checkov"
139 ];
141 postInstall = ''
142 chmod +x $out/bin/checkov
143 '';
145 meta = with lib; {
146 description = "Static code analysis tool for infrastructure-as-code";
147 homepage = "https://github.com/bridgecrewio/checkov";
148 changelog = "https://github.com/bridgecrewio/checkov/releases/tag/${version}";
149 longDescription = ''
150 Prevent cloud misconfigurations during build-time for Terraform, Cloudformation,
151 Kubernetes, Serverless framework and other infrastructure-as-code-languages.
152 '';
153 license = licenses.asl20;
154 maintainers = with maintainers; [ anhdle14 fab ];
155 };
156 }