name: Container Image Scan

on:
  push:
    branches: [main]
    paths:
      - 'veza-backend-api/Dockerfile*'
      - 'apps/web/Dockerfile*'
      - 'veza-stream-server/Dockerfile*'
  pull_request:
    branches: [main]
    paths:
      - 'veza-backend-api/Dockerfile*'
      - 'apps/web/Dockerfile*'
      - 'veza-stream-server/Dockerfile*'
  workflow_dispatch:

jobs:
  scan-backend:
    name: Scan Backend Image
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Build backend image
        run: docker build -t veza-backend:scan -f veza-backend-api/Dockerfile.production veza-backend-api/

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # v0.28.0
        with:
          image-ref: 'veza-backend:scan'
          format: 'table'
          exit-code: '1'
          severity: 'CRITICAL,HIGH'
          ignore-unfixed: true

  scan-stream-server:
    name: Scan Stream Server Image
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Build stream server image
        run: docker build -t veza-stream:scan -f veza-stream-server/Dockerfile .

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # v0.28.0
        with:
          image-ref: 'veza-stream:scan'
          format: 'table'
          exit-code: '1'
          severity: 'CRITICAL,HIGH'
          ignore-unfixed: true

  scan-frontend:
    name: Scan Frontend Image
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Check if frontend Dockerfile exists
        id: check
        run: |
          if [ -f "apps/web/Dockerfile" ] || [ -f "apps/web/Dockerfile.production" ]; then
            echo "exists=true" >> $GITHUB_OUTPUT
          else
            echo "exists=false" >> $GITHUB_OUTPUT
          fi

      - name: Build frontend image
        if: steps.check.outputs.exists == 'true'
        run: |
          DOCKERFILE=$([ -f "apps/web/Dockerfile.production" ] && echo "apps/web/Dockerfile.production" || echo "apps/web/Dockerfile")
          docker build -t veza-frontend:scan -f "$DOCKERFILE" apps/web/

      - name: Run Trivy vulnerability scanner
        if: steps.check.outputs.exists == 'true'
        uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # v0.28.0
        with:
          image-ref: 'veza-frontend:scan'
          format: 'table'
          exit-code: '1'
          severity: 'CRITICAL,HIGH'
          ignore-unfixed: true