name: Trivy Security Scans

on:
  push:
    branches:
      - main
      - development
  pull_request:
    branches:
      - main
      - development
  schedule:
    - cron: "0 8 * * 1" # Weekly scan on Mondays at 8 AM UTC

jobs:
  filesystem-scan:
    name: Trivy Filesystem Scan (Source Code)
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Scan source code (Filesystem) with Trivy
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: fs
          scan-ref: .
          format: table
          exit-code: 1
          ignore-unfixed: true
          severity: CRITICAL,HIGH

  image-scan:
    name: Trivy Docker Image Scan (Backend & Frontend)
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      # Optional login step (remove if you're not pushing images to GHCR)
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build backend Docker image
        run: docker build -t adventurelog-backend ./backend

      - name: Build frontend Docker image
        run: docker build -t adventurelog-frontend ./frontend

      - name: Scan backend Docker image with Trivy
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: adventurelog-backend
          format: table
          exit-code: 1
          ignore-unfixed: true
          severity: CRITICAL,HIGH

      - name: Scan frontend Docker image with Trivy
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: adventurelog-frontend
          format: table
          exit-code: 1
          ignore-unfixed: true
          severity: CRITICAL,HIGH