Merge pull request #107028 from anhdle14/checkov-1.0.674

checkov: init at 1.0.674

maintainers/maintainer-list.nix

@@ -610,6 +610,16 @@
     githubId = 11699655;
     name = "Stanislas Lange";
   };
+  anhdle14 = {
+    name = "Le Anh Duc";
+    email = "anhdle14@icloud.com";
+    github = "anhdle14";
+    githubId = 9645992;
+    keys = [{
+      longkeyid = "rsa4096/0x0299AFF9ECBB5169";
+      fingerprint = "AA4B 8EC3 F971 D350 482E  4E20 0299 AFF9 ECBB 5169";
+    }];
+  };
   ankhers = {
     email = "me@ankhers.dev";
     github = "ankhers";

pkgs/development/python-modules/bc-python-hcl2/default.nix

@@ -0,0 +1,49 @@
+{ lib, buildPythonPackage, fetchPypi, nose }:
+
+let
+  lark-parser = buildPythonPackage rec {
+    pname = "lark-parser";
+    version = "0.7.8";
+
+    src = fetchPypi {
+      inherit pname version;
+      sha256 = "JiFeuxV+b7LudDGapERbnzt+RW4mviFc4Z/aqpAcIKQ=";
+    };
+
+    doCheck = true;
+  };
+in
+buildPythonPackage rec {
+  pname = "bc-python-hcl2";
+  version = "0.3.11";
+
+  src = fetchPypi {
+    inherit pname version;
+    sha256 = "VZhI1oJ2EDZGyz3iI6/KYvJq4BGafzR+rcSgHqlUDrA=";
+  };
+
+  # Nose is required during build process, so can not use `checkInputs`.
+  buildInputs = [
+    nose
+  ];
+
+  propagatedBuildInputs = [
+    lark-parser
+  ];
+
+  pythonImportsCheck = [ "hcl2" ];
+
+  meta = with lib; {
+    description = "A parser for HCL2 written in Python using Lark";
+    longDescription = ''
+    A parser for HCL2 written in Python using Lark.
+    This parser only supports HCL2 and isn't backwards compatible with HCL v1.
+    It can be used to parse any HCL2 config file such as Terraform.
+    '';
+    # Although this is the main homepage from PyPi but it is also a homepage
+    # of another PyPi package (python-hcl2). But these two are different.
+    homepage = "https://github.com/amplify-education/python-hcl2";
+    license = licenses.mit;
+    maintainers = [ maintainers.anhdle14 ];
+  };
+}

pkgs/development/python-modules/deep_merge/default.nix

@@ -0,0 +1,24 @@
+{ lib, buildPythonPackage, fetchPypi, pytestCheckHook, nose }:
+
+buildPythonPackage rec {
+  pname = "deep_merge";
+  version = "0.0.4";
+
+  src = fetchPypi {
+    inherit pname version;
+    sha256 = "tUQV+Qk0xC4zQRTihky01OczWzStOW41rYYQyWBlpH4=";
+  };
+
+  checkInputs = [
+    nose
+  ];
+
+  doCheck = false;
+
+  meta = with lib; {
+    description = "This library contains a simple utility for deep-merging dictionaries and the data structures they contain";
+    homepage = "https://github.com/halfak/deep_merge";
+    license = licenses.mit;
+    maintainers = [ maintainers.anhdle14 ];
+  };
+}

pkgs/development/tools/analysis/checkov/default.nix

@@ -0,0 +1,77 @@
+{ stdenv, pkgs, lib, python3, fetchFromGitHub }:
+
+let
+  pname = "checkov";
+  version = "1.0.674";
+  src = fetchFromGitHub {
+    owner = "bridgecrewio";
+    repo = pname;
+    rev = version;
+    sha256 = "/S8ic5ZVxA2vd/rjRPX5gslbmnULL7BSx34vgWIsheQ=";
+  };
+
+  disabled = pkgs.python3Packages.pythonOlder "3.7";
+
+  # CheckOV only work with `dpath 1.5.0`
+  dpath = pkgs.python3Packages.buildPythonPackage rec {
+    pname = "dpath";
+    version = "1.5.0";
+
+    src = pkgs.python3Packages.fetchPypi {
+      inherit pname version;
+      sha256 = "SWYVtOqEI20Y4NKGEi3nSGmmDg+H4sfsZ4f/KGxINhs=";
+    };
+
+    doCheck = false;
+  };
+in
+python3.pkgs.buildPythonPackage rec {
+  inherit pname version disabled src;
+
+  nativeBuildInputs = with python3.pkgs; [ setuptools_scm ];
+
+  propagatedBuildInputs = with python3.pkgs; [
+    pytest
+    coverage
+    bandit
+    bc-python-hcl2
+    deep_merge
+    tabulate
+    colorama
+    termcolor
+    junit-xml
+    dpath
+    pyyaml
+    boto3
+    GitPython
+    six
+    jmespath
+    tqdm
+    update_checker
+    semantic-version
+    packaging
+  ];
+
+  # Both of these tests are pulling from external srouces (https://github.com/bridgecrewio/checkov/blob/f03a4204d291cf47e3753a02a9b8c8d805bbd1be/.github/workflows/build.yml)
+  preCheck = ''
+    rm -rf integration_tests/*
+    rm -rf tests/terraform/*
+  '';
+
+  # Wrap the executable so that the python packages are available
+  # it's just a shebang script which calls `python -m checkov "$@"`
+  postFixup = ''
+    wrapProgram $out/bin/checkov \
+      --set PYTHONPATH $PYTHONPATH
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/bridgecrewio/checkov";
+    description = "Static code analysis tool for infrastructure-as-code";
+    longDescription = ''
+    Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.
+    '';
+    license = licenses.asl20;
+    maintainers = with maintainers; [ anhdle14 ];
+  };
+}

pkgs/top-level/all-packages.nix

@@ -182,6 +182,8 @@ in
 
   cereal = callPackage ../development/libraries/cereal { };
 
+  checkov = callPackage ../development/tools/analysis/checkov {};
+
   chrysalis = callPackage ../applications/misc/chrysalis { };
 
   clj-kondo = callPackage ../development/tools/clj-kondo { };

pkgs/top-level/python-packages.nix

@@ -854,6 +854,8 @@ in {
 
   bayespy = callPackage ../development/python-modules/bayespy { };
 
+  bc-python-hcl2 = callPackage ../development/python-modules/bc-python-hcl2 { };
+
   bcdoc = callPackage ../development/python-modules/bcdoc { };
 
   bcrypt = if pythonOlder "3.6" then
@@ -1613,6 +1615,8 @@ in {
 
   decorator = callPackage ../development/python-modules/decorator { };
 
+  deep_merge = callPackage ../development/python-modules/deep_merge { };
+
   deepdiff = callPackage ../development/python-modules/deepdiff { };
 
   deepmerge = callPackage ../development/python-modules/deepmerge { };