blumeops/containers/kingfisher/default.nix

# Nix-built Kingfisher secret scanner
# Built from upstream main + sporked feature branches applied as patches.
# Runs on ringtail (amd64) via nix-container-builder runner.
#
# How it works:
#   1. builtins.fetchGit fetches upstream and feature branches at eval time
#   2. diff generates patches from upstream→feature in a sandboxed derivation
#   3. buildRustPackage applies patches to the upstream source and builds
#
# To update:
#   1. Update upstreamRev to the new main SHA
#   2. Rebase feature branches onto new main (mirror-sync does this daily)
#   3. Update feature revs to the new rebased SHAs
#   4. Update Cargo.lock if dependencies changed
#
# The upstream rev must be an ancestor of each feature rev.
{ pkgs ? import <nixpkgs> { } }:

let
  version = "165768b";
  repoUrl = "https://forge.ops.eblu.me/eblume/kingfisher.git";

  upstreamRev = "165768b5ca9a85c2e8c64bed19bb197e82b45360";

  features = [
    {
      name = "clone-url-base";
      ref = "feature/upstream/clone-url-base";
      rev = "4d5ce57a12650ec54c41b909f8623a1d395aa0a9";
    }
  ];

  # Fetch upstream source at the pinned rev (eval-time, network access)
  upstreamSrc = builtins.fetchGit {
    url = repoUrl;
    ref = "main";
    rev = upstreamRev;
  };

  # Fetch each feature branch source and generate a patch against upstream
  featurePatches = map (f:
    let
      featureSrc = builtins.fetchGit {
        url = repoUrl;
        ref = f.ref;
        rev = f.rev;
      };
    in
    pkgs.runCommand "spork-${f.name}.patch" {
      nativeBuildInputs = [ pkgs.diffutils pkgs.gnused ];
    } ''
      diff -ruN --no-dereference ${upstreamSrc} ${featureSrc} \
        | sed -e 's|${upstreamSrc}/|a/|g' -e 's|${featureSrc}/|b/|g' \
        > $out || true
    ''
  ) features;

  kingfisher = pkgs.rustPlatform.buildRustPackage {
    pname = "kingfisher";
    inherit version;
    src = upstreamSrc;

    patches = featurePatches;

    # Cargo.lock is not committed upstream; we vendor a copy alongside default.nix
    cargoLock.lockFile = ./Cargo.lock;

    # Patch the source to include Cargo.lock (buildRustPackage needs it in-tree)
    postPatch = ''
      cp ${./Cargo.lock} Cargo.lock
      chmod +w Cargo.lock
    '';

    nativeBuildInputs = with pkgs; [
      cmake
      pkg-config
      python3
    ];

    buildInputs = with pkgs; [
      boost
      openssl
    ];

    # Don't run tests — they need network access for wiremock
    doCheck = false;

    meta = with pkgs.lib; {
      description = "Secret detection and live validation tool";
      homepage = "https://github.com/mongodb/kingfisher";
      license = licenses.asl20;
      mainProgram = "kingfisher";
    };
  };
in

pkgs.dockerTools.buildLayeredImage {
  name = "blumeops/kingfisher";
  contents = [
    kingfisher
    pkgs.bashInteractive
    pkgs.coreutils
    pkgs.cacert
    pkgs.git
    pkgs.tzdata
  ];

  extraCommands = ''
    mkdir -p tmp
    chmod 1777 tmp
  '';

  config = {
    Entrypoint = [ "${kingfisher}/bin/kingfisher" ];
    Env = [
      "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
      "TZDIR=${pkgs.tzdata}/share/zoneinfo"
      "TMPDIR=/tmp"
    ];
    User = "65534";
  };
}
Build custom Kingfisher container from sporked deploy branch (#318) ## Summary - Add Dockerfile for Kingfisher built from source (sporked deploy branch) - Multi-stage: Rust build with Boost/vectorscan, debian-slim runtime - Switch CronJob from upstream `ghcr.io/mongodb/kingfisher` to `registry.ops.eblu.me/blumeops/kingfisher` - Add kingfisher to service-versions.yaml (version tracks upstream main SHA) - Document spork workflow in CLAUDE.md ## Test plan - [ ] Build container: `mise run container-build-and-release kingfisher 1d37d29` - [ ] Verify image on registry: `mise run container-list` - [ ] Update kustomization newTag - [ ] Sync ArgoCD kingfisher app from branch - [ ] Trigger manual CronJob and verify scan completes - [ ] Verify reports on sifaka Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/318 2026-03-30 06:34:49 -07:00			`# Nix-built Kingfisher secret scanner`
			`# Built from upstream main + sporked feature branches applied as patches.`
			`# Runs on ringtail (amd64) via nix-container-builder runner.`
			`#`
			`# How it works:`
			`# 1. builtins.fetchGit fetches upstream and feature branches at eval time`
			`# 2. diff generates patches from upstream→feature in a sandboxed derivation`
			`# 3. buildRustPackage applies patches to the upstream source and builds`
			`#`
			`# To update:`
			`# 1. Update upstreamRev to the new main SHA`
			`# 2. Rebase feature branches onto new main (mirror-sync does this daily)`
			`# 3. Update feature revs to the new rebased SHAs`
			`# 4. Update Cargo.lock if dependencies changed`
			`#`
			`# The upstream rev must be an ancestor of each feature rev.`
			`{ pkgs ? import <nixpkgs> { } }:`

			`let`
			`version = "165768b";`
			`repoUrl = "https://forge.ops.eblu.me/eblume/kingfisher.git";`

			`upstreamRev = "165768b5ca9a85c2e8c64bed19bb197e82b45360";`

			`features = [`
			`{`
			`name = "clone-url-base";`
			`ref = "feature/upstream/clone-url-base";`
			`rev = "4d5ce57a12650ec54c41b909f8623a1d395aa0a9";`
			`}`
			`];`

			`# Fetch upstream source at the pinned rev (eval-time, network access)`
			`upstreamSrc = builtins.fetchGit {`
			`url = repoUrl;`
			`ref = "main";`
			`rev = upstreamRev;`
			`};`

			`# Fetch each feature branch source and generate a patch against upstream`
			`featurePatches = map (f:`
			`let`
			`featureSrc = builtins.fetchGit {`
			`url = repoUrl;`
			`ref = f.ref;`
			`rev = f.rev;`
			`};`
			`in`
			`pkgs.runCommand "spork-${f.name}.patch" {`
			`nativeBuildInputs = [ pkgs.diffutils pkgs.gnused ];`
			`} ''`
			`diff -ruN --no-dereference ${upstreamSrc} ${featureSrc} \`
			`\| sed -e 's\|${upstreamSrc}/\|a/\|g' -e 's\|${featureSrc}/\|b/\|g' \`
			`> $out \|\| true`
			`''`
			`) features;`

			`kingfisher = pkgs.rustPlatform.buildRustPackage {`
			`pname = "kingfisher";`
			`inherit version;`
			`src = upstreamSrc;`

			`patches = featurePatches;`

			`# Cargo.lock is not committed upstream; we vendor a copy alongside default.nix`
			`cargoLock.lockFile = ./Cargo.lock;`

			`# Patch the source to include Cargo.lock (buildRustPackage needs it in-tree)`
			`postPatch = ''`
			`cp ${./Cargo.lock} Cargo.lock`
			`chmod +w Cargo.lock`
			`'';`

			`nativeBuildInputs = with pkgs; [`
			`cmake`
			`pkg-config`
			`python3`
			`];`

			`buildInputs = with pkgs; [`
			`boost`
			`openssl`
			`];`

			`# Don't run tests — they need network access for wiremock`
			`doCheck = false;`

			`meta = with pkgs.lib; {`
			`description = "Secret detection and live validation tool";`
			`homepage = "https://github.com/mongodb/kingfisher";`
			`license = licenses.asl20;`
			`mainProgram = "kingfisher";`
			`};`
			`};`
			`in`

			`pkgs.dockerTools.buildLayeredImage {`
			`name = "blumeops/kingfisher";`
			`contents = [`
			`kingfisher`
Fix Kingfisher container: add bash and coreutils for CronJob shell Nix containers don't include a shell by default. The CronJob needs /bin/bash for the inline script that generates timestamped filenames. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-30 06:45:39 -07:00			`pkgs.bashInteractive`
			`pkgs.coreutils`
Build custom Kingfisher container from sporked deploy branch (#318) ## Summary - Add Dockerfile for Kingfisher built from source (sporked deploy branch) - Multi-stage: Rust build with Boost/vectorscan, debian-slim runtime - Switch CronJob from upstream `ghcr.io/mongodb/kingfisher` to `registry.ops.eblu.me/blumeops/kingfisher` - Add kingfisher to service-versions.yaml (version tracks upstream main SHA) - Document spork workflow in CLAUDE.md ## Test plan - [ ] Build container: `mise run container-build-and-release kingfisher 1d37d29` - [ ] Verify image on registry: `mise run container-list` - [ ] Update kustomization newTag - [ ] Sync ArgoCD kingfisher app from branch - [ ] Trigger manual CronJob and verify scan completes - [ ] Verify reports on sifaka Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/318 2026-03-30 06:34:49 -07:00			`pkgs.cacert`
			`pkgs.git`
			`pkgs.tzdata`
			`];`

Fix Kingfisher container: add /tmp directory Kingfisher needs a writable temp directory for git clones and scanning. Nix containers don't create /tmp by default. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-30 06:49:59 -07:00			`extraCommands = ''`
			`mkdir -p tmp`
Fix Kingfisher container: make /tmp world-writable Container runs as user 65534 (nobody) but /tmp was owned by root. Set sticky bit + world-writable (1777) like a standard /tmp. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-30 06:53:34 -07:00			`chmod 1777 tmp`
Fix Kingfisher container: add /tmp directory Kingfisher needs a writable temp directory for git clones and scanning. Nix containers don't create /tmp by default. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-30 06:49:59 -07:00			`'';`

Build custom Kingfisher container from sporked deploy branch (#318) ## Summary - Add Dockerfile for Kingfisher built from source (sporked deploy branch) - Multi-stage: Rust build with Boost/vectorscan, debian-slim runtime - Switch CronJob from upstream `ghcr.io/mongodb/kingfisher` to `registry.ops.eblu.me/blumeops/kingfisher` - Add kingfisher to service-versions.yaml (version tracks upstream main SHA) - Document spork workflow in CLAUDE.md ## Test plan - [ ] Build container: `mise run container-build-and-release kingfisher 1d37d29` - [ ] Verify image on registry: `mise run container-list` - [ ] Update kustomization newTag - [ ] Sync ArgoCD kingfisher app from branch - [ ] Trigger manual CronJob and verify scan completes - [ ] Verify reports on sifaka Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/318 2026-03-30 06:34:49 -07:00			`config = {`
			`Entrypoint = [ "${kingfisher}/bin/kingfisher" ];`
			`Env = [`
			`"SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"`
			`"TZDIR=${pkgs.tzdata}/share/zoneinfo"`
Fix Kingfisher container: add /tmp directory Kingfisher needs a writable temp directory for git clones and scanning. Nix containers don't create /tmp by default. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-30 06:49:59 -07:00			`"TMPDIR=/tmp"`
Build custom Kingfisher container from sporked deploy branch (#318) ## Summary - Add Dockerfile for Kingfisher built from source (sporked deploy branch) - Multi-stage: Rust build with Boost/vectorscan, debian-slim runtime - Switch CronJob from upstream `ghcr.io/mongodb/kingfisher` to `registry.ops.eblu.me/blumeops/kingfisher` - Add kingfisher to service-versions.yaml (version tracks upstream main SHA) - Document spork workflow in CLAUDE.md ## Test plan - [ ] Build container: `mise run container-build-and-release kingfisher 1d37d29` - [ ] Verify image on registry: `mise run container-list` - [ ] Update kustomization newTag - [ ] Sync ArgoCD kingfisher app from branch - [ ] Trigger manual CronJob and verify scan completes - [ ] Verify reports on sifaka Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/318 2026-03-30 06:34:49 -07:00			`];`
			`User = "65534";`
			`};`
			`}`