diff --git a/pkgs/tools/security/badrobot/default.nix b/pkgs/tools/security/badrobot/default.nix new file mode 100644 index 00000000000..30123d3c4f7 --- /dev/null +++ b/pkgs/tools/security/badrobot/default.nix @@ -0,0 +1,45 @@ +{ lib, buildGoModule, fetchFromGitHub, installShellFiles }: + +buildGoModule rec { + pname = "badrobot"; + version = "0.1.2"; + + src = fetchFromGitHub { + owner = "controlplaneio"; + repo = pname; + rev = "v${version}"; + sha256 = "sha256-LGoNM8wu1qaq4cVEzR723/cueZlndE1Z2PCYEOU+nPQ="; + }; + vendorSha256 = "sha256-FS4kFVi+3NOJOfWfy5m/hDrQvCzpmsNSB/PliF6cVps="; + + nativeBuildInputs = [ installShellFiles ]; + + ldflags = [ + "-s" + "-w" + "-X github.com/controlplaneio/badrobot/cmd.version=v${version}" + ]; + + postInstall = '' + installShellCompletion --cmd badrobot \ + --bash <($out/bin/badrobot completion bash) \ + --fish <($out/bin/badrobot completion fish) \ + --zsh <($out/bin/badrobot completion zsh) + ''; + + meta = with lib; { + homepage = "https://github.com/controlplaneio/badrobot"; + changelog = "https://github.com/controlplaneio/badrobot/blob/v${version}/CHANGELOG.md"; + description = "Operator Security Audit Tool"; + longDescription = '' + Badrobot is a Kubernetes Operator audit tool. It statically analyses + manifests for high risk configurations such as lack of security + restrictions on the deployed controller and the permissions of an + associated clusterole. The risk analysis is primarily focussed on the + likelihood that a compromised Operator would be able to obtain full + cluster permissions. + ''; + license = with licenses; [ asl20 ]; + maintainers = with maintainers; [ jk ]; + }; +} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 9d99d208f71..6c08979b1ab 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -2577,6 +2577,8 @@ with pkgs; inherit (darwin.apple_sdk.frameworks) Security; }; + badrobot = callPackage ../tools/security/badrobot {}; + bao = callPackage ../tools/security/bao {}; bar = callPackage ../tools/system/bar {};