| blob | 1d0108049d764e4c21d172b8767b19d7ab951fbb |
1 {
2 lib,
3 fetchFromGitHub,
4 python3,
5 }:
7 python3.pkgs.buildPythonApplication rec {
8 pname = "checkov";
9 version = "3.2.74";
10 pyproject = true;
12 src = fetchFromGitHub {
13 owner = "bridgecrewio";
14 repo = "checkov";
15 rev = "refs/tags/${version}";
16 hash = "sha256-Ge0SCoZeBdEKGjvPXGzsYptKBzNWrUbjLEdNxsYUlcI=";
17 };
19 patches = [ ./flake8-compat-5.x.patch ];
21 pythonRelaxDeps = [
22 "bc-detect-secrets"
23 "bc-python-hcl2"
24 "boto3"
25 "botocore"
26 "dpath"
27 "igraph"
28 "license-expression"
29 "networkx"
30 "openai"
31 "packageurl-python"
32 "packaging"
33 "pycep-parser"
34 "rustworkx"
35 "termcolor"
36 ];
38 pythonRemoveDeps = [
39 # pythonRelaxDeps doesn't work with that one
40 "pycep-parser"
41 ];
43 build-system = with python3.pkgs; [
44 setuptools-scm
45 ];
47 nativeBuildInputs = with python3.pkgs; [
48 pythonRelaxDepsHook
49 ];
51 dependencies = with python3.pkgs; [
52 aiodns
53 aiohttp
54 aiomultiprocess
55 argcomplete
56 bc-detect-secrets
57 bc-jsonpath-ng
58 bc-python-hcl2
59 boto3
60 cachetools
61 charset-normalizer
62 cloudsplaining
63 colorama
64 configargparse
65 cyclonedx-python-lib
66 docker
67 dockerfile-parse
68 dpath
69 flake8
70 gitpython
71 igraph
72 jmespath
73 jsonschema
74 junit-xml
75 license-expression
76 networkx
77 openai
78 packaging
79 policyuniverse
80 prettytable
81 pycep-parser
82 pyyaml
83 pydantic
84 rustworkx
85 semantic-version
86 spdx-tools
87 tabulate
88 termcolor
89 tqdm
90 typing-extensions
91 update-checker
92 ];
94 nativeCheckInputs = with python3.pkgs; [
95 aioresponses
96 mock
97 pytest-asyncio
98 pytest-mock
99 pytest-xdist
100 pytestCheckHook
101 responses
102 ];
104 preCheck = ''
105 export HOME=$(mktemp -d);
106 '';
108 disabledTests = [
109 # No API key available
110 "api_key"
111 # Requires network access
112 "TestSarifReport"
113 "test_skip_mapping_default"
114 # Flake8 test
115 "test_file_with_class"
116 "test_dataclass_skip"
117 "test_typing_class_skip"
118 # Tests are comparing console output
119 "cli"
120 "console"
121 # Assertion error
122 "test_runner"
123 # AssertionError: assert ['<?xml versi...
124 "test_get_cyclonedx_report"
125 ];
127 disabledTestPaths = [
128 # Tests are pulling from external sources
129 # https://github.com/bridgecrewio/checkov/blob/f03a4204d291cf47e3753a02a9b8c8d805bbd1be/.github/workflows/build.yml
130 "integration_tests/"
131 "tests/ansible/"
132 "tests/arm/"
133 "tests/bicep/"
134 "tests/cloudformation/"
135 "tests/common/"
136 "tests/dockerfile/"
137 "tests/generic_json/"
138 "tests/generic_yaml/"
139 "tests/github_actions/"
140 "tests/github/"
141 "tests/kubernetes/"
142 "tests/sca_package_2"
143 "tests/terraform/"
144 "cdk_integration_tests/"
145 "sast_integration_tests"
146 # Performance tests have no value for us
147 "performance_tests/test_checkov_performance.py"
148 # No Helm
149 "dogfood_tests/test_checkov_dogfood.py"
150 ];
152 pythonImportsCheck = [ "checkov" ];
154 postInstall = ''
155 chmod +x $out/bin/checkov
156 '';
158 meta = with lib; {
159 description = "Static code analysis tool for infrastructure-as-code";
160 homepage = "https://github.com/bridgecrewio/checkov";
161 changelog = "https://github.com/bridgecrewio/checkov/releases/tag/${version}";
162 longDescription = ''
163 Prevent cloud misconfigurations during build-time for Terraform, Cloudformation,
164 Kubernetes, Serverless framework and other infrastructure-as-code-languages.
165 '';
166 license = licenses.asl20;
167 maintainers = with maintainers; [
168 anhdle14
169 fab
170 ];
171 };
172 }