blumeops/containers/kingfisher/default.nix

# Nix-built Kingfisher secret scanner
# Built from sporked deploy branch (upstream + local patches)
# Runs on ringtail (amd64) via nix-container-builder runner
{ pkgs ? import <nixpkgs> { } }:

let
  version = "1d37d29";

  src = pkgs.fetchgit {
    url = "https://forge.ops.eblu.me/eblume/kingfisher.git";
    rev = "a4f2fe0337614fca81f7c386de998e5c3e0fc534";
    hash = "sha256-jeuFzxjnsL/o9Uu9QMUSA77eXI3jm554+Z4NqYm6Q3w=";
  };

  kingfisher = pkgs.rustPlatform.buildRustPackage {
    inherit src version;
    pname = "kingfisher";

    # Cargo.lock is not committed upstream; we vendor a copy alongside default.nix
    cargoLock.lockFile = ./Cargo.lock;

    # Patch the source to include Cargo.lock (buildRustPackage needs it in-tree)
    postPatch = ''
      cp ${./Cargo.lock} Cargo.lock
    '';

    nativeBuildInputs = with pkgs; [
      cmake
      pkg-config
      python3  # vectorscan build.rs needs python for cmake
    ];

    buildInputs = with pkgs; [
      boost
      openssl
    ];

    # Don't run tests — they need network access for wiremock
    doCheck = false;

    meta = with pkgs.lib; {
      description = "Secret detection and live validation tool";
      homepage = "https://github.com/mongodb/kingfisher";
      license = licenses.asl20;
      mainProgram = "kingfisher";
    };
  };
in

pkgs.dockerTools.buildLayeredImage {
  name = "blumeops/kingfisher";
  contents = [
    kingfisher
    pkgs.cacert
    pkgs.git
    pkgs.tzdata
  ];

  config = {
    Entrypoint = [ "${kingfisher}/bin/kingfisher" ];
    Env = [
      "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
      "TZDIR=${pkgs.tzdata}/share/zoneinfo"
    ];
    User = "65534";
  };
}