# Scripts

This directory contains utility scripts for the Hastebin project.

## Git Hooks Installation

### `install-git-hooks.sh`

Installs Git pre-commit hooks to prevent pushing broken code. The hook runs core tests before each commit.

**Usage:**

```bash
./scripts/install-git-hooks.sh
```

**What it does:**

1. Creates a pre-commit hook in `.git/hooks/pre-commit`
2. The hook runs `npm run test:core` before each commit
3. If tests fail, the commit is aborted
4. Automatically installs dependencies if `node_modules` is missing

**Skipping the hook:**

If you need to skip the pre-commit hook (not recommended), use:

```bash
git commit --no-verify
```

**Note:** The hook runs core tests only (faster than the full test suite) to keep commit times reasonable. Full tests are still run in CI/CD via Woodpecker.

## Security Scanning

### SBOM Generation

#### `scan-sbom.sh`

Generates a Software Bill of Materials (SBOM) for the source code using Syft. Creates SBOM files in multiple formats (table, SPDX JSON, CycloneDX JSON).

**Usage:**

```bash
./scripts/scan-sbom.sh
# or
npm run scan:sbom
```

**Output files:**
- `sbom.txt` - Human-readable table format
- `sbom.spdx.json` - SPDX JSON format
- `sbom.cyclonedx.json` - CycloneDX JSON format

**Requirements:**
- Syft (automatically installed if not present)

### Trivy Security Scans

#### `scan-trivy-fs.sh`

Runs Trivy filesystem security scan to detect vulnerabilities and misconfigurations in the codebase and Dockerfile.

**Usage:**

```bash
./scripts/scan-trivy-fs.sh
# or
npm run scan:trivy
```

**What it scans:**
- Filesystem for vulnerabilities (HIGH and CRITICAL severity)
- Dockerfile for misconfigurations
- Reports findings but doesn't fail (exit code 0)

**Requirements:**
- Trivy installed (`brew install trivy` or see [Trivy installation guide](https://aquasecurity.github.io/trivy/latest/getting-started/installation/))

#### `scan-trivy-image.sh`

Builds the Docker image and scans it for vulnerabilities using Trivy.

**Usage:**

```bash
./scripts/scan-trivy-image.sh [image-name]
# or
npm run scan:trivy:image
```

**Default image name:** `hastebin:test`

**What it does:**
1. Builds the Docker image
2. Scans the image for vulnerabilities (HIGH and CRITICAL severity)
3. Fails if unfixed vulnerabilities are found (exit code 1)

**Requirements:**
- Docker
- Trivy installed

### Image SBOM Generation

#### `scan-sbom-image.sh`

Builds the Docker image and generates an SBOM for it.

**Usage:**

```bash
./scripts/scan-sbom-image.sh [image-name]
# or
npm run scan:sbom:image
```

**Default image name:** `hastebin:test`

**Output files:**
- `sbom-image.txt` - Human-readable table format
- `sbom-image.spdx.json` - SPDX JSON format
- `sbom-image.cyclonedx.json` - CycloneDX JSON format

**Requirements:**
- Docker
- Syft (automatically installed if not present)

### Running All Scans

To run both SBOM generation and Trivy filesystem scan:

```bash
npm run scan:all
```

This runs:
1. SBOM generation for source code
2. Trivy filesystem security scan