@@ -126,32 +126,47 @@ case "$tool" in
126126 ;;
127127
128128 checkov)
129- # bridgecrewio/checkov GitHub releases do not publish checksum files; verify against
130- # repo-pinned hack/checksums/checkov-<version>.sha256sums instead.
131- case " ${os} _${arch} " in
132- linux_amd64) asset=" checkov_linux_X86_64.zip" ;;
133- linux_arm64) asset=" checkov_linux_arm64.zip" ;;
134- darwin_amd64) asset=" checkov_darwin_X86_64.zip" ;;
135- windows_amd64) asset=" checkov_windows_X86_64.zip" ;;
136- * )
137- echo " Unsupported platform for checkov: ${os} _${arch} " >&2
138- exit 1
139- ;;
140- esac
141- url=" https://github.com/bridgecrewio/checkov/releases/download/${version} /${asset} "
142- checksums_file=" ${script_dir} /checksums/checkov-${version} .sha256sums"
143129 dest_bin=" ${dest_dir} /checkov"
130+ # Linux release zips are PyInstaller bundles that require GLIBC >= 2.38; UBI9/RHEL9 (glibc 2.34) cannot run them.
131+ if [ " $os " = " linux" ]; then
132+ if ! command -v pip3 > /dev/null 2>&1 ; then
133+ echo " pip3 is required to install checkov on Linux (GitHub release zip requires GLIBC >= 2.38)." >&2
134+ exit 1
135+ fi
136+ lib_dir=" ${dest_dir} /.checkov-lib"
137+ rm -rf " $lib_dir "
138+ pip3 install --no-cache-dir --target " $lib_dir " " checkov==${version} "
139+ cat > " $dest_bin " << WRAP
140+ #!/usr/bin/env bash
141+ export PYTHONPATH="${lib_dir} :\$ {PYTHONPATH:-}"
142+ exec python3 -m checkov.main "\$ @"
143+ WRAP
144+ chmod +x " $dest_bin "
145+ else
146+ # bridgecrewio/checkov GitHub releases do not publish checksum files; verify against
147+ # repo-pinned hack/checksums/checkov-<version>.sha256sums instead.
148+ case " ${os} _${arch} " in
149+ darwin_amd64) asset=" checkov_darwin_X86_64.zip" ;;
150+ windows_amd64) asset=" checkov_windows_X86_64.zip" ;;
151+ * )
152+ echo " Unsupported platform for checkov: ${os} _${arch} " >&2
153+ exit 1
154+ ;;
155+ esac
156+ url=" https://github.com/bridgecrewio/checkov/releases/download/${version} /${asset} "
157+ checksums_file=" ${script_dir} /checksums/checkov-${version} .sha256sums"
158+
159+ if [ ! -f " ${checksums_file} " ]; then
160+ echo " Missing pinned checksums: ${checksums_file} " >&2
161+ echo " bridgecrewio/checkov releases do not publish upstream checksum files; add SHA256 sums for each platform zip when bumping CHECKOV_VERSION (see CONTRIBUTING.md)." >&2
162+ exit 1
163+ fi
144164
145- if [ ! -f " ${checksums_file} " ] ; then
146- echo " Missing pinned checksums: ${checksums_file} " >&2
147- echo " bridgecrewio/checkov releases do not publish upstream checksum files; add SHA256 sums for each platform zip when bumping CHECKOV_VERSION (see CONTRIBUTING.md). " >&2
148- exit 1
165+ curl -fsSL -o " ${tmp} / ${asset} " " $url "
166+ sha256_verify " ${tmp} / ${asset} " " ${checksums_file} "
167+ unzip -o " ${tmp} / ${asset} " -d " $tmp "
168+ install -m 0755 " ${tmp} /dist/checkov " " $dest_bin "
149169 fi
150-
151- curl -fsSL -o " ${tmp} /${asset} " " $url "
152- sha256_verify " ${tmp} /${asset} " " ${checksums_file} "
153- unzip -o " ${tmp} /${asset} " -d " $tmp "
154- install -m 0755 " ${tmp} /dist/checkov" " $dest_bin "
155170 ;;
156171
157172 gitleaks)
0 commit comments