push sheeet

2025-10-09 14:15:47 +02:00
commit 646b892680
49168 changed files with 5897842 additions and 0 deletions
--- a/pkgs/by-name/sy/sysdig-cli-scanner/package.nix
+++ b/pkgs/by-name/sy/sysdig-cli-scanner/package.nix
@@ -0,0 +1,67 @@
+{
+  stdenv,
+  lib,
+  fetchurl,
+  writeShellScript,
+}:
+let
+  versionMetadata = import ./sysdig-cli-scanner.versions.nix;
+  fetchForSystem = versionMetadata.${stdenv.system} or (throw "unsupported system ${stdenv.system}");
+
+  wrapper = writeShellScript "sysdig-cli-scanner-wrapper" ''
+    for arg in "$@"; do
+      # We must not pass --dbpath to the cli in case it has been called with --iac
+      # IaC Scanning does not make use of the vulnerability database
+      if [ "$arg" = "--iac" ]; then
+        exec @out@/libexec/sysdig-cli-scanner-unwrapped "$@"
+      fi
+    done
+
+    # --dbpath argument is needed for vulnerability scanning mode, otherwise it tries to download
+    # the vulnerability database in the same path as the binary, which is read-only in the case of the
+    # nix store
+    exec @out@/libexec/sysdig-cli-scanner-unwrapped \
+      --dbpath="$HOME/.cache/sysdig-cli-scanner/" "$@"
+  '';
+in
+stdenv.mkDerivation {
+  pname = "sysdig-cli-scanner";
+  version = versionMetadata.version;
+
+  src = fetchurl { inherit (fetchForSystem) url hash; };
+  dontUnpack = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    install -Dm755 -T $src $out/libexec/sysdig-cli-scanner-unwrapped
+    install -Dm755 -T ${wrapper} $out/bin/sysdig-cli-scanner
+    substituteInPlace $out/bin/sysdig-cli-scanner --subst-var out
+
+    runHook postInstall
+  '';
+
+  passthru.updateScript = ./update.sh;
+
+  meta = with lib; {
+    description = "Tool for scanning container images and directories using Sysdig";
+    longDescription = ''
+      The Sysdig Vulnerability CLI Scanner, sysdig-cli-scanner, is a versatile tool designed to
+      manually scan container images and directories, whether they are located locally or remotely.
+      Depending on your specific use case, you have the flexibility to execute sysdig-cli-scanner
+      in Vulnerability Management (VM) mode for image scanning or Infrastructure as Code (IaC) mode
+      for scanning directories.
+    '';
+    homepage = "https://docs.sysdig.com/en/docs/installation/sysdig-secure/install-vulnerability-cli-scanner/";
+    mainProgram = "sysdig-cli-scanner";
+    license = licenses.unfreeRedistributable;
+    maintainers = with maintainers; [ tembleking ];
+    platforms = [
+      "x86_64-linux"
+      "aarch64-linux"
+      "x86_64-darwin"
+      "aarch64-darwin"
+    ];
+    sourceProvenance = with sourceTypes; [ binaryNativeCode ];
+  };
+}
--- a/pkgs/by-name/sy/sysdig-cli-scanner/sysdig-cli-scanner.versions.nix
+++ b/pkgs/by-name/sy/sysdig-cli-scanner/sysdig-cli-scanner.versions.nix
@@ -0,0 +1,23 @@
+{
+  version = "1.22.6";
+
+  x86_64-linux = {
+    url = "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/1.22.6/linux/amd64/sysdig-cli-scanner";
+    hash = "sha256-aOwvxIxq1h66YKJGnFVIFTcA/tq0CseeNLe6pfLobkI=";
+  };
+
+  aarch64-linux = {
+    url = "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/1.22.6/linux/arm64/sysdig-cli-scanner";
+    hash = "sha256-m79OVmW+9D+941BX9xBwBxrZrDBBrFBDyjS8T6sE3m4=";
+  };
+
+  x86_64-darwin = {
+    url = "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/1.22.6/darwin/amd64/sysdig-cli-scanner";
+    hash = "sha256-RGc+ZHkX4y6kDwzaZeGWpB3TLRvThUbPkriMDK7U3cQ=";
+  };
+
+  aarch64-darwin = {
+    url = "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/1.22.6/darwin/arm64/sysdig-cli-scanner";
+    hash = "sha256-mFHxETd96ZGJUYDXi6mjhfJDlozDAo4IHaoisbNhwwc=";
+  };
+}
--- a/pkgs/by-name/sy/sysdig-cli-scanner/update.sh
+++ b/pkgs/by-name/sy/sysdig-cli-scanner/update.sh
@@ -0,0 +1,56 @@
+#! /usr/bin/env nix-shell
+#! nix-shell -i bash -p bash curl jq
+
+set -euo pipefail
+
+LATEST_VERSION=$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)
+SUPPORTED_OPERATING_SYSTEMS=("linux" "darwin")
+SUPPORTED_ARCHITECTURES=("x86_64" "aarch64")
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+VERSIONS_FILE="${SCRIPT_DIR}/sysdig-cli-scanner.versions.nix"
+
+main() {
+  echo "{" > "$VERSIONS_FILE"
+  echo "  version = \"${LATEST_VERSION}\";" >> "$VERSIONS_FILE"
+  for os in "${SUPPORTED_OPERATING_SYSTEMS[@]}"; do
+    for arch in "${SUPPORTED_ARCHITECTURES[@]}"; do
+      formatted_arch=$(formatArchitectureForURL "$arch")
+      download_url="https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/${LATEST_VERSION}/${os}/${formatted_arch}/sysdig-cli-scanner"
+      file_hash=$(fetchFileHash "$download_url")
+      appendToVersionsFile "$VERSIONS_FILE" "$arch" "$os" "$download_url" "$file_hash"
+    done
+  done
+  echo "}" >> "$VERSIONS_FILE"
+}
+
+formatArchitectureForURL() {
+  local architecture="$1"
+  case "$architecture" in
+    x86_64) echo "amd64" ;;
+    aarch64) echo "arm64" ;;
+    *) echo "Unsupported architecture: $architecture" >&2; return 1 ;;
+  esac
+}
+
+fetchFileHash() {
+  local url="$1"
+  nix store prefetch-file --json "$url" | jq -r .hash
+}
+
+appendToVersionsFile() {
+  local file="$1"
+  local architecture="$2"
+  local operating_system="$3"
+  local url="$4"
+  local hash="$5"
+  cat >> "$file" << EOF
+
+  ${architecture}-${operating_system} = {
+    url = "$url";
+    hash = "$hash";
+  };
+EOF
+}
+
+main
+