Merge pull request #177777 from 06kellyjac/chain-bench

chain-bench: init at 0.0.2
2022-06-16 00:27:01 +02:00 · 2022-06-16 00:27:01 +02:00 · f649383c5a
parent 2b2174260f 2205b90699
commit f649383c5a
2 changed files with 66 additions and 0 deletions
--- a/pkgs/tools/security/chain-bench/default.nix
+++ b/pkgs/tools/security/chain-bench/default.nix
@ -0,0 +1,62 @@
+{ lib
+, stdenv
+, buildGoModule
+, fetchFromGitHub
+, installShellFiles
+}:
+
+buildGoModule rec {
+  pname = "chain-bench";
+  version = "0.0.2";
+
+  src = fetchFromGitHub {
+    owner = "aquasecurity";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-aoqkCaMEFTmaV9ewSZW6iy5Uc+riha8ecOECVccb9MM=";
+  };
+  vendorSha256 = "sha256-MTWXDIHVdgqdRO0ZoXzUPeTZ6Y19TjFQSvrhKP35BuM=";
+
+  nativeBuildInputs = [ installShellFiles ];
+
+  ldflags = [
+    "-s"
+    "-w"
+    "-X main.version=v${version}"
+  ];
+
+  postInstall = ''
+    installShellCompletion --cmd chain-bench \
+      --bash <($out/bin/chain-bench completion bash) \
+      --fish <($out/bin/chain-bench completion fish) \
+      --zsh <($out/bin/chain-bench completion zsh)
+  '';
+
+  doInstallCheck = true;
+  installCheckPhase = ''
+    runHook preInstallCheck
+    $out/bin/chain-bench --help
+    $out/bin/chain-bench --version | grep "v${version}"
+    runHook postInstallCheck
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/aquasecurity/chain-bench";
+    changelog = "https://github.com/aquasecurity/chain-bench/releases/tag/v${version}";
+    description = "An open-source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark";
+    longDescription = ''
+      Chain-bench is an open-source tool for auditing your software supply chain
+      stack for security compliance based on a new CIS Software Supply Chain
+      benchmark. The auditing focuses on the entire SDLC process, where it can
+      reveal risks from code time into deploy time. To win the race against
+      hackers and protect your sensitive data and customer trust, you need to
+      ensure your code is compliant with your organization's policies.
+    '';
+    license = licenses.asl20;
+    maintainers = with maintainers; [ jk ];
+    # TODO: see if this is an issue
+    # # Need updated macOS SDK
+    # # https://github.com/NixOS/nixpkgs/issues/101229
+    # broken = (stdenv.isDarwin && stdenv.isx86_64);
+  };
+}
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -4631,6 +4631,10 @@ with pkgs;

  cgreen = callPackage ../development/libraries/cgreen { };

+  chain-bench = callPackage ../tools/security/chain-bench {
+    buildGoModule = buildGo118Module;
+  };
+
  checkinstall = callPackage ../tools/package-management/checkinstall { };

  checkmake = callPackage ../development/tools/checkmake { };