Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
FROM registry.access.redhat.com/ubi9/ubi:latest
WORKDIR /app
COPY . /app
RUN yum update -y && yum install -y yum-utils shadow-utils unzip tar make git && \
RUN yum update -y && yum install -y yum-utils shadow-utils unzip tar make git python3-pip && \
yum clean all && \
rm -rf /var/cache/yum
# Prow / integration client image: newest Terraform (TERRAFORM_VERSION). Module minimum compatibility is checked in GitHub Actions verify-min-terraform.yml.
Expand Down
61 changes: 38 additions & 23 deletions hack/install-release-tool.sh
Original file line number Diff line number Diff line change
Expand Up @@ -126,32 +126,47 @@ case "$tool" in
;;

checkov)
# bridgecrewio/checkov GitHub releases do not publish checksum files; verify against
# repo-pinned hack/checksums/checkov-<version>.sha256sums instead.
case "${os}_${arch}" in
linux_amd64) asset="checkov_linux_X86_64.zip" ;;
linux_arm64) asset="checkov_linux_arm64.zip" ;;
darwin_amd64) asset="checkov_darwin_X86_64.zip" ;;
windows_amd64) asset="checkov_windows_X86_64.zip" ;;
*)
echo "Unsupported platform for checkov: ${os}_${arch}" >&2
exit 1
;;
esac
url="https://github.com/bridgecrewio/checkov/releases/download/${version}/${asset}"
checksums_file="${script_dir}/checksums/checkov-${version}.sha256sums"
dest_bin="${dest_dir}/checkov"
# Linux release zips are PyInstaller bundles that require GLIBC >= 2.38; UBI9/RHEL9 (glibc 2.34) cannot run them.
if [ "$os" = "linux" ]; then
if ! command -v pip3 >/dev/null 2>&1; then
echo "pip3 is required to install checkov on Linux (GitHub release zip requires GLIBC >= 2.38)." >&2
exit 1
fi
lib_dir="${dest_dir}/.checkov-lib"
rm -rf "$lib_dir"
pip3 install --no-cache-dir --target "$lib_dir" "checkov==${version}"
cat >"$dest_bin" <<WRAP
#!/usr/bin/env bash
export PYTHONPATH="${lib_dir}:\${PYTHONPATH:-}"
exec python3 -m checkov.main "\$@"
WRAP
Comment thread
coderabbitai[bot] marked this conversation as resolved.
chmod +x "$dest_bin"
else
# bridgecrewio/checkov GitHub releases do not publish checksum files; verify against
# repo-pinned hack/checksums/checkov-<version>.sha256sums instead.
case "${os}_${arch}" in
darwin_amd64) asset="checkov_darwin_X86_64.zip" ;;
windows_amd64) asset="checkov_windows_X86_64.zip" ;;
*)
echo "Unsupported platform for checkov: ${os}_${arch}" >&2
exit 1
;;
esac
url="https://github.com/bridgecrewio/checkov/releases/download/${version}/${asset}"
checksums_file="${script_dir}/checksums/checkov-${version}.sha256sums"

if [ ! -f "${checksums_file}" ]; then
echo "Missing pinned checksums: ${checksums_file}" >&2
echo "bridgecrewio/checkov releases do not publish upstream checksum files; add SHA256 sums for each platform zip when bumping CHECKOV_VERSION (see CONTRIBUTING.md)." >&2
exit 1
fi

if [ ! -f "${checksums_file}" ]; then
echo "Missing pinned checksums: ${checksums_file}" >&2
echo "bridgecrewio/checkov releases do not publish upstream checksum files; add SHA256 sums for each platform zip when bumping CHECKOV_VERSION (see CONTRIBUTING.md)." >&2
exit 1
curl -fsSL -o "${tmp}/${asset}" "$url"
sha256_verify "${tmp}/${asset}" "${checksums_file}"
unzip -o "${tmp}/${asset}" -d "$tmp"
install -m 0755 "${tmp}/dist/checkov" "$dest_bin"
fi

curl -fsSL -o "${tmp}/${asset}" "$url"
sha256_verify "${tmp}/${asset}" "${checksums_file}"
unzip -o "${tmp}/${asset}" -d "$tmp"
install -m 0755 "${tmp}/dist/checkov" "$dest_bin"
;;

gitleaks)
Expand Down