name: ci-workflow

on:
  push:
    branches:
      - master
  workflow_dispatch: {}

jobs:
  build-and-scan:
    runs-on: docker
    env:
      REGISTRY_HOST: ${{ secrets.REGISTRY_HOST }}
      IMAGE_NAMESPACE: ${{ secrets.IMAGE_NAMESPACE }}
      IMAGE_NAME: ${{ secrets.IMAGE_NAME }}
      CI_GREETING: ${{ secrets.CI_GREETING }}
      DEFECTDOJO_URL: ${{ secrets.DEFECTDOJO_URL }}
      DEFECTDOJO_PRODUCT_TYPE: ${{ secrets.DEFECTDOJO_PRODUCT_TYPE }}
      DEFECTDOJO_PRODUCT: ${{ secrets.DEFECTDOJO_PRODUCT }}
      DEFECTDOJO_ENGAGEMENT: ${{ secrets.DEFECTDOJO_ENGAGEMENT }}

    steps:
      - name: Checkout
        uses: https://data.forgejo.org/actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Show variables and secrets
        run: |
          echo "Greeting: ${CI_GREETING}"
          echo "HELLO_SECRET length: ${#HELLO_SECRET}"
        env:
          HELLO_SECRET: ${{ secrets.HELLO_SECRET }}

      - name: Install required dependencies
        run: |
          sudo apt-get update
          sudo apt-get install -y \
            apt-transport-https \
            ca-certificates \
            curl \
            gnupg2 \
            lsb-release \
            software-properties-common

      - name: Download Docker CLI .deb package
        run: |
          wget https://download.docker.com/linux/debian/dists/bullseye/pool/stable/amd64/docker-ce-cli_29.1.4-1~debian.11~bullseye_amd64.deb

      - name: Install Docker CLI
        run: |
          sudo dpkg -i docker-ce-cli_29.1.4-1~debian.11~bullseye_amd64.deb
          sudo apt-get install -f 

      - name: Verify Docker CLI version
        run: docker --version

      - name: Build image
        run: |
          IMAGE_REF="${REGISTRY_HOST}/${IMAGE_NAMESPACE}/${IMAGE_NAME}:${GITHUB_SHA}"
          echo "IMAGE_REF=${IMAGE_REF}" >> "${GITHUB_ENV}"
          docker build -t "${IMAGE_REF}" .

      - name: Login to Forgejo package registry
        run: |
          echo "${REGISTRY_TOKEN}" | docker login "${REGISTRY_HOST}" -u "${REGISTRY_USERNAME}" --password-stdin
        env:
          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}

      - name: Push image
        run: |
          docker push "${IMAGE_REF}"

      - name: Trivy scan (securecodebox)
        run: |
          docker run --rm \
            -v /var/run/docker.sock:/var/run/docker.sock \
            -v "${PWD}:/workspace" \
            -w /workspace \
            docker.io/aquasec/trivy:0.58.1 \
            image --no-progress --format json --output trivy-results.json "${IMAGE_REF}"

      - name: Upload to DefectDojo
        run: |
          curl -sSf -X POST "${DEFECTDOJO_URL}/api/v2/import-scan/" \
            -H "Authorization: Token ${DEFECTDOJO_API_KEY}" \
            -F "scan_type=Trivy Scan" \
            -F "minimum_severity=Low" \
            -F "product_type_name=${DEFECTDOJO_PRODUCT_TYPE}" \
            -F "product_name=${DEFECTDOJO_PRODUCT}" \
            -F "engagement_name=${DEFECTDOJO_ENGAGEMENT}" \
            -F "file=@trivy-results.json" \
            -F "verified=true" \
            -F "active=true"
        env:
          DEFECTDOJO_API_KEY: ${{ secrets.DEFECTDOJO_API_KEY }}