{"id":20102950,"url":"https://github.com/stackrox/stackrox-env","last_synced_at":"2025-08-09T10:25:19.455Z","repository":{"id":37756298,"uuid":"448591409","full_name":"stackrox/stackrox-env","owner":"stackrox","description":"Stackrox development environment","archived":false,"fork":false,"pushed_at":"2024-05-22T12:04:50.000Z","size":94,"stargazers_count":8,"open_issues_count":1,"forks_count":2,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-05-22T12:31:13.747Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Nix","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stackrox.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-01-16T15:19:05.000Z","updated_at":"2024-06-17T22:21:54.014Z","dependencies_parsed_at":"2024-01-25T14:28:06.697Z","dependency_job_id":"99b2669c-5da7-4ff9-8e6c-3ed164977d8e","html_url":"https://github.com/stackrox/stackrox-env","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2Fstackrox-env","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2Fstackrox-env/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2Fstackrox-env/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2Fstackrox-env/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stackrox","download_url":"https://codeload.github.com/stackrox/stackrox-env/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252648486,"owners_count":21782395,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-13T17:33:45.770Z","updated_at":"2025-05-06T08:30:58.155Z","avatar_url":"https://github.com/stackrox.png","language":"Nix","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Stackrox development environment\n\n[![](http://github-actions.40ants.com/stackrox/stackrox-env/matrix.svg)](https://github.com/stackrox/stackrox-env)\n\nIsolated and reproducible development environment for the Stackrox stack using Nix flakes.\n\n## Environment\n\nCompilers / runtimes:\n\n* `gcc`\n* `golang 1.22.x`\n* `openjdk 11`\n* `python 3.11`\n\nApplications:\n\n* `aws` and `aws-vault`\n* `bats`\n* `bitwarden` CLI\n* Repo cleaner `bfg`\n* `cachix`\n* `chamber`\n* `colima` (macOS)\n* `detect-secrets`\n* `docker` (macOS)\n* `docker-buildx`\n* `envsubst` (and other gettext utilities)\n* `gcloud`\n* `git-absorb`\n* `go-jsonnet` and bundler\n* `goreleaser`\n* `gradle`\n* `helm`\n* `jq`\n* `k9s`\n* `kind`\n* `kubectl`\n* `kubectx`\n* `make`\n* `nodejs`\n* OpenShift Client `oc`\n* OpenShift Cluster Manager Client `ocm`\n* `pre-commit`\n* `prometheus`\n* `terraform 1.5.7` (last MPL release) and `terragrunt`\n* `vault 1.14.8` (last MPL release)\n* `wget`\n* `yarn`\n* `yq`\n\n## Prerequisites\n\n- Install `Nix` by following the [instructions](https://nixos.org/manual/nix/stable/installation/installing-binary.html)\n  based on your platform.\n- **(Optional)** Clone the repository `git clone git@github.com:stackrox/stackrox-env.git ~/dev/nix/stackrox`.\n\n## Usage\n\n### Ad-hoc shell\n\nRun `nix --experimental-features \"nix-command flakes\" develop github:stackrox/stackrox-env -c $SHELL` to open a shell\nwith the development environment based on the latest upstream state. Alternatively, open a shell based on a local clone\nof the repository `nix --experimental-features \"nix-command flakes\" develop ~/dev/nix/stackrox -c $SHELL`. This allows\nfor more fine grained control, but requires manual updates from time to time by pulling the latest master.\n\n### Login shell\n\nYou may choose to load the development environment inside the login shell. This effectively means that the development\nenvironment will be available in every shell, which is convenient when no other environments are used anyway. Modifying\nthe login shell is recommended when working with graphical IDEs such as GoLand and VSCode.\n\n- Clone the repository as outlined above.\n- Add `source ~/dev/nix/stackrox/login.sh` to either `~/.bash_profile.sh` (bash) or `~/.zprofile` (zsh).\n\nNote you should source `login.sh` after the lines added by the Nix installer, but before setting up the Stackrox workflow\ntools (if you use them) via\n\n```sh\nexport GOPATH=$HOME/go\nexport PATH=$PATH:$GOPATH/bin\nsource \"$HOME/go/src/github.com/stackrox/workflow/env.sh\"\n```\n\n### Direnv integration\n\n`Direnv` allows you to automatically modify the shell environment when entering a directory. This can be used to load the\ndevelopment environment upon entering the `stackrox/stackrox` repository. It is the recommended usage when working primarily\nfrom the command line.\n\n- Install [Direnv with Nix flake integration](https://github.com/nix-community/nix-direnv).\n- Create a `.envrc` file inside the `stackrox/stackrox` directory and add `use flake github:stackrox/stackrox-env` to it.\n  Alternatively, add `use flake ~/dev/nix/stackrox/` to use a local clone of the repository.\n\n### Import from other flakes\n\nYou can compose Nix flakes by importing the `stackrox-env` flake from other Nix flakes. This allows you to\nintegrate the flake into a larger user configuration management, for example via `Home Manager`.\n\nOverlay all packages - note that you still have to declare individual packages in your package configuration.\n\n```nix\ninputs = {\n  nixpkgs.url = \"github:NixOS/nixpkgs/nixpkgs-unstable\";\n  stackrox-env = {\n    url = \"github:stackrox/stackrox-env\";\n    inputs.nixpkgs.follows = \"nixpkgs\";\n  };\n};\n\ninputs @ {self, ...}: {\n  # ...\n  overlays = {\n    stackrox-overlay = inputs.stackrox-env.overlays.default;\n  };\n}\n```\n\nOverlay only pinned Hashicorp packages\n\n```nix\ninputs = {\n  nixpkgs.url = \"github:NixOS/nixpkgs/nixpkgs-unstable\";\n  stackrox-env = {\n    url = \"github:stackrox/stackrox-env\";\n    inputs.nixpkgs.follows = \"nixpkgs\";\n  };\n};\n\ninputs @ {self, ...}: {\n  # ...\n  overlays = {\n    stackrox-overlay = inputs.stackrox-env.overlays.hashicorp;\n  };\n}\n```\n\n## Platforms\n\nThe Nix flake is tested via continuous integration on Linux and macOS (Intel). Unfortunately, GitHub does not provide\nmacOS ARM runners, but the flake should build on M1 machines as well. If not, please let me know.\n\n## Docker on macOS\n\n[`colima`](https://github.com/abiosoft/colima) manages a virtual machine, in which the `docker` daemon runs natively.\nThe `docker` context in the macOS host system is then set to the damon inside the virtual machine. This setup functions\nsimilarly to `Docker Desktop` and may be used as a drop-in replacement.\n\nSetup a virtual machine with 2 CPUs, 2 GiB of memory and 60 GiB of storage:\n\n```sh\ncolima start --cpu 2 --memory 2 --disk 60\n```\n\nChange the resources of the virtual machine:\n\n```sh\ncolima stop\ncolima start --cpu 4 --memory 8 --disk 60\n```\n\nVerify that the `colima` context is used by the `docker` client:\n```sh\ndocker context list\n```\n\nDeploy a local Kubernetes cluster with access to images built or pulled with `docker`:\n\n```sh\ncolima start --with-kubernetes\n```\n\n## Binary cache\n\nTo avoid long build times, all packages can be pulled from a binary cache. The `build` GitHub action builds\nall packages and pushes them to the binary cache `stackrox.cachix.org`. Using the binary cache is optional.\nSee this [guide](https://nix.dev/faq#how-do-i-add-a-new-binary-cache) on how to enable the cache.\n\n```\naccept-flake-config = true\ntrusted-substituters = https://stackrox.cachix.org https://cache.nixos.org/\ntrusted-public-keys = stackrox.cachix.org-1:Wnn8TKAitOTWKfTvvHiHzJjXy0YfiwoK6rrVzXt/trA= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=\n```\n\nAlternativley, run\n\n```sh\ncachix use stackrox\n```\n\nwhich modifies the Nix system config as described above.\n\n## Caveats\n\nLoading the development environment inserts the `Nix` binaries at the beginning of `$PATH`.\nIf `$PATH` is later overwritten by another process, the isolation breaks and global version\nof binaries could be first in `$PATH`.\n\n## Contributing\n\n### Pre-commit hook\n\nTo install the pre-commit hook, run `pre-commit install` from within the repository.\n\n### Remember to update the repository state\n\nIf you're getting error such as `error: attribute 'whatever_new_version'\nmissing` after bumping to a new version of a package, try running `nix flake\nupdate`.\n\n### Updating isolated packages\n\nTo only update an isolated package - for example, to bump the golang version without touching other packages - follow these steps:\n\n1. Add a dedicated `nixpkgs-my-package` input based on `nixpkgs-unstable`.\n2. Run `nix flake update nixpkgs-my-package`.\n3. Import your package from `inputs.nixpkgs-my-package` in the package list.\n\nFor an explicit example, see this [pull request](https://github.com/stackrox/stackrox-env/pull/74).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstackrox%2Fstackrox-env","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstackrox%2Fstackrox-env","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstackrox%2Fstackrox-env/lists"}