name: ci-workflow

on:
  push:
    branches:
      - master
  workflow_dispatch: {}

jobs:
  build-and-scan:
    runs-on: docker
    env:
      REGISTRY_HOST: ${{ secrets.REGISTRY_HOST }}
      IMAGE_NAMESPACE: ${{ secrets.IMAGE_NAMESPACE }}
      IMAGE_NAME: ${{ secrets.IMAGE_NAME }}
      CI_GREETING: ${{ secrets.CI_GREETING }}
      DEFECTDOJO_URL: ${{ secrets.DEFECTDOJO_URL }}
      DEFECTDOJO_PRODUCT_TYPE: ${{ secrets.DEFECTDOJO_PRODUCT_TYPE }}
      DEFECTDOJO_PRODUCT: ${{ secrets.DEFECTDOJO_PRODUCT }}
      DEFECTDOJO_ENGAGEMENT: ${{ secrets.DEFECTDOJO_ENGAGEMENT }}

    steps:
      - name: Checkout
        uses: https://data.forgejo.org/actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Trust cluster CA
        run: |
          cp /etc/cluster-ca/root-ca.crt /usr/local/share/ca-certificates/cluster-root-ca.crt
          update-ca-certificates

      - name: Install required dependencies
        run: |
          apt-get update
          apt-get install -y \
            apt-transport-https \
            ca-certificates \
            curl \
            gnupg2 \
            lsb-release \
            software-properties-common

      - name: Download Docker CLI .deb package
        run: |
          wget https://download.docker.com/linux/debian/dists/bullseye/pool/stable/amd64/docker-ce-cli_29.1.4-1~debian.11~bullseye_amd64.deb

      - name: Install Docker CLI
        run: |
          dpkg -i docker-ce-cli_29.1.4-1~debian.11~bullseye_amd64.deb
          apt-get install -f

      - name: Verify Docker CLI version
        run: docker --version

      - name: Login to docker-mirror (pull)
        run: |
          echo "${MIRROR_REGISTRY_TOKEN}" | docker login "${REGISTRY_HOST}" -u "${MIRROR_REGISTRY_USERNAME}" --password-stdin
        env:
          MIRROR_REGISTRY_USERNAME: ${{ secrets.MIRROR_REGISTRY_USERNAME }}
          MIRROR_REGISTRY_TOKEN: ${{ secrets.MIRROR_REGISTRY_TOKEN }}

      - name: Build image
        run: |
          IMAGE_REF="${REGISTRY_HOST}/${IMAGE_NAMESPACE}/${IMAGE_NAME}:${GITHUB_SHA}"
          echo "IMAGE_REF=${IMAGE_REF}" >> "${GITHUB_ENV}"
          docker build -t "${IMAGE_REF}" .

      - name: Trivy scan (securecodebox)
        run: |
          docker run --rm \
            -v /var/run/docker.sock:/var/run/docker.sock \
            -v "${PWD}:/workspace" \
            -w /workspace \
            harbor.k8s.sk4.nz/docker-mirror/aquasec/trivy:latest \
            image --no-progress --format json --output trivy-results.json "${IMAGE_REF}"

      - name: Upload to DefectDojo
        run: |
          curl -sSf -X POST "${DEFECTDOJO_URL}/api/v2/import-scan/" \
            -H "Authorization: Token ${DEFECTDOJO_API_KEY}" \
            -F "scan_type=Trivy Scan" \
            -F "minimum_severity=Low" \
            -F "product_type_name=${DEFECTDOJO_PRODUCT_TYPE}" \
            -F "product_name=${DEFECTDOJO_PRODUCT}" \
            -F "engagement_name=${DEFECTDOJO_ENGAGEMENT}" \
            -F "file=@trivy-results.json" \
            -F "verified=true" \
            -F "active=true"
        env:
          DEFECTDOJO_API_KEY: ${{ secrets.DEFECTDOJO_API_KEY }}

      - name: Login to registry (push)
        run: |
          echo "${REGISTRY_TOKEN}" | docker login "${REGISTRY_HOST}" -u "${REGISTRY_USERNAME}" --password-stdin
        env:
          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}

      - name: Push image
        run: |
          docker push "${IMAGE_REF}"