name: Container Image Scan

on:
    push:
        branches: [main]
        paths:
            - "veza-backend-api/Dockerfile*"
            - "apps/web/Dockerfile*"
            - "veza-stream-server/Dockerfile*"
    pull_request:
        branches: [main]
        paths:
            - "veza-backend-api/Dockerfile*"
            - "apps/web/Dockerfile*"
            - "veza-stream-server/Dockerfile*"
    workflow_dispatch:

env:
    GIT_SSL_NO_VERIFY: "true"
    NODE_TLS_REJECT_UNAUTHORIZED: "0"

jobs:
    scan-backend:
        name: Scan Backend Image
        runs-on: ubuntu-latest
        steps:
            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

            - name: Build backend image
              run: docker build -t veza-backend:scan -f veza-backend-api/Dockerfile.production veza-backend-api/

            - name: Run Trivy vulnerability scanner
              uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # v0.28.0
              with:
                  image-ref: "veza-backend:scan"
                  format: "table"
                  exit-code: "1"
                  severity: "CRITICAL,HIGH"
                  ignore-unfixed: true

    scan-stream-server:
        name: Scan Stream Server Image
        runs-on: ubuntu-latest
        steps:
            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

            - name: Build stream server image
              run: docker build -t veza-stream:scan -f veza-stream-server/Dockerfile .

            - name: Run Trivy vulnerability scanner
              uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # v0.28.0
              with:
                  image-ref: "veza-stream:scan"
                  format: "table"
                  exit-code: "1"
                  severity: "CRITICAL,HIGH"
                  ignore-unfixed: true

    scan-frontend:
        name: Scan Frontend Image
        runs-on: ubuntu-latest
        steps:
            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

            - name: Check if frontend Dockerfile exists
              id: check
              run: |
                  if [ -f "apps/web/Dockerfile" ] || [ -f "apps/web/Dockerfile.production" ]; then
                    echo "exists=true" >> $GITHUB_OUTPUT
                  else
                    echo "exists=false" >> $GITHUB_OUTPUT
                  fi

            - name: Build frontend image
              if: steps.check.outputs.exists == 'true'
              run: |
                  DOCKERFILE=$([ -f "apps/web/Dockerfile.production" ] && echo "apps/web/Dockerfile.production" || echo "apps/web/Dockerfile")
                  docker build -t veza-frontend:scan -f "$DOCKERFILE" apps/web/

            - name: Run Trivy vulnerability scanner
              if: steps.check.outputs.exists == 'true'
              uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # v0.28.0
              with:
                  image-ref: "veza-frontend:scan"
                  format: "table"
                  exit-code: "1"
                  severity: "CRITICAL,HIGH"
                  ignore-unfixed: true