sysdig-cli-scanner: init at 1.13.2

Co-authored-by: Alexis Hildebrandt <afh@surryhill.net>

pkgs/by-name/sy/sysdig-cli-scanner/package.nix

@@ -0,0 +1,55 @@
+{
+  stdenv,
+  lib,
+  fetchurl,
+  makeWrapper,
+}:
+let
+  versionMetadata = import ./sysdig-cli-scanner.versions.nix;
+  fetchForSystem = versionMetadata.${stdenv.system} or (throw "unsupported system ${stdenv.system}");
+in
+stdenv.mkDerivation {
+  pname = "sysdig-cli-scanner";
+  version = versionMetadata.version;
+
+  src = fetchurl { inherit (fetchForSystem) url hash; };
+
+  nativeBuildInputs = [ makeWrapper ];
+
+  dontUnpack = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    install -Dm755 -T $src $out/bin/sysdig-cli-scanner
+
+    wrapProgram $out/bin/sysdig-cli-scanner \
+      --add-flags --dbpath="\$HOME/.cache/sysdig-cli-scanner/"
+
+    runHook postInstall
+  '';
+
+  passthru.updateScript = ./update.sh;
+
+  meta = with lib; {
+    description = "Tool for scanning container images and directories using Sysdig";
+    longDescription = ''
+      The Sysdig Vulnerability CLI Scanner, sysdig-cli-scanner, is a versatile tool designed to
+      manually scan container images and directories, whether they are located locally or remotely.
+      Depending on your specific use case, you have the flexibility to execute sysdig-cli-scanner
+      in Vulnerability Management (VM) mode for image scanning or Infrastructure as Code (IaC) mode
+      for scanning directories.
+    '';
+    homepage = "https://docs.sysdig.com/en/docs/installation/sysdig-secure/install-vulnerability-cli-scanner/";
+    mainProgram = "sysdig-cli-scanner";
+    license = licenses.unfreeRedistributable;
+    maintainers = with maintainers; [ tembleking ];
+    platforms = [
+      "x86_64-linux"
+      "aarch64-linux"
+      "x86_64-darwin"
+      "aarch64-darwin"
+    ];
+    sourceProvenance = with sourceTypes; [ binaryNativeCode ];
+  };
+}

pkgs/by-name/sy/sysdig-cli-scanner/sysdig-cli-scanner.versions.nix

@@ -0,0 +1,23 @@
+{
+  version = "1.13.2";
+
+  x86_64-linux = {
+    url = "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/1.13.2/linux/amd64/sysdig-cli-scanner";
+    hash = "sha256-nFQ+xDiB7CA9mfQlRiTH/FvyZMKZ0YH8Gzn4ZuZ/Ucc=";
+  };
+
+  aarch64-linux = {
+    url = "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/1.13.2/linux/arm64/sysdig-cli-scanner";
+    hash = "sha256-IscMTVzEbWImFZa7uXNp2K6Gplnq2LZoVPoAo5oIZ1U=";
+  };
+
+  x86_64-darwin = {
+    url = "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/1.13.2/darwin/amd64/sysdig-cli-scanner";
+    hash = "sha256-Xgip9cquafpRuYcXnnCF5ptFi774EocBZ535b/LzXUQ=";
+  };
+
+  aarch64-darwin = {
+    url = "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/1.13.2/darwin/arm64/sysdig-cli-scanner";
+    hash = "sha256-l/u8UV9O5/mFrNHpyIaKvXbVCQ+Fh6binJLv7MCHrtM=";
+  };
+}

pkgs/by-name/sy/sysdig-cli-scanner/update.sh

@@ -0,0 +1,56 @@
+#! /usr/bin/env nix-shell
+#! nix-shell -i bash -p bash curl jq
+
+set -euo pipefail
+
+LATEST_VERSION=$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)
+SUPPORTED_OPERATING_SYSTEMS=("linux" "darwin")
+SUPPORTED_ARCHITECTURES=("x86_64" "aarch64")
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+VERSIONS_FILE="${SCRIPT_DIR}/sysdig-cli-scanner.versions.nix"
+
+main() {
+  echo "{" > "$VERSIONS_FILE"
+  echo "  version = \"${LATEST_VERSION}\";" >> "$VERSIONS_FILE"
+  for os in "${SUPPORTED_OPERATING_SYSTEMS[@]}"; do
+    for arch in "${SUPPORTED_ARCHITECTURES[@]}"; do
+      formatted_arch=$(formatArchitectureForURL "$arch")
+      download_url="https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/${LATEST_VERSION}/${os}/${formatted_arch}/sysdig-cli-scanner"
+      file_hash=$(fetchFileHash "$download_url")
+      appendToVersionsFile "$VERSIONS_FILE" "$arch" "$os" "$download_url" "$file_hash"
+    done
+  done
+  echo "}" >> "$VERSIONS_FILE"
+}
+
+formatArchitectureForURL() {
+  local architecture="$1"
+  case "$architecture" in
+    x86_64) echo "amd64" ;;
+    aarch64) echo "arm64" ;;
+    *) echo "Unsupported architecture: $architecture" >&2; return 1 ;;
+  esac
+}
+
+fetchFileHash() {
+  local url="$1"
+  nix store prefetch-file --json "$url" | jq -r .hash
+}
+
+appendToVersionsFile() {
+  local file="$1"
+  local architecture="$2"
+  local operating_system="$3"
+  local url="$4"
+  local hash="$5"
+  cat >> "$file" << EOF
+
+  ${architecture}-${operating_system} = {
+    url = "$url";
+    hash = "$hash";
+  };
+EOF
+}
+
+main
+