#!/bin/bash
# Run Trivy image security scan
# Builds the Docker image and scans it for vulnerabilities

set -e

IMAGE_NAME="${1:-hastebin:test}"

echo "🐳 Building Docker image: $IMAGE_NAME"
docker build -t "$IMAGE_NAME" --no-cache .

echo ""
echo "🔒 Running Trivy image security scan..."

# Check if trivy is installed
if ! command -v trivy &> /dev/null; then
    echo "Trivy not found. Please install it:"
    echo "  brew install trivy"
    echo "  or visit: https://aquasecurity.github.io/trivy/latest/getting-started/installation/"
    exit 1
fi

# Show version
trivy --version

echo ""
echo "📦 Scanning Docker image for vulnerabilities..."
echo ""

# Scan image with exit code 1 (fail on HIGH/CRITICAL vulnerabilities)
trivy image \
    --timeout 10m \
    --scanners vuln \
    --severity HIGH,CRITICAL \
    --ignore-unfixed \
    --exit-code 1 \
    --format table \
    "$IMAGE_NAME"

echo ""
echo "✅ Trivy image scan completed!"