#!/bin/sh

TIMEOUT=${TIMEOUT:-120m}
IGNORE_UNFIXED=${IGNORE_UNFIXED:-false}
LOW_PRIORITY=${LOW_PRIORITY:-true}

# Use SCANNERS_ENV if provided, otherwise default to vuln, config, secret
if [ -n "$SCANNERS_ENV" ]; then
    OLD_IFS="$IFS"
    IFS=',' read -r -a SCANNERS <<EOF
$SCANNERS_ENV
EOF
    IFS="$OLD_IFS"
else
    SCANNERS=("vuln" "config" "secret")
fi

run_scan() {
    for SCANNER in "${SCANNERS[@]}"; do
        CURRENT_LOG="/log/trivy_scan_${SCANNER}.log"
        if [ "$LOW_PRIORITY" = "true" ]; then
            nice -n 19 trivy filesystem --skip-update --timeout $TIMEOUT --scanners $SCANNER $( [ "$IGNORE_UNFIXED" = "true" ] && echo '--ignore-unfixed' ) /mnt > $CURRENT_LOG
        else
            trivy filesystem --skip-update --timeout $TIMEOUT --scanners $SCANNER $( [ "$IGNORE_UNFIXED" = "true" ] && echo '--ignore-unfixed' ) /mnt > $CURRENT_LOG
        fi
    done
}

compare_scans() {
    for SCANNER in "${SCANNERS[@]}"; do
        PREVIOUS_LOG="/log/previous_scan_${SCANNER}.log"
        CURRENT_LOG="/log/trivy_scan_${SCANNER}.log"
        SCAN_DATE=$(date +%Y.%m.%d)
        DIFF_LOG="/log/scandiff_${SCANNER}_$SCAN_DATE.log"

        if [ -f "$CURRENT_LOG" ]; then
            if [ -f "$PREVIOUS_LOG" ]; then
                diff $PREVIOUS_LOG $CURRENT_LOG > $DIFF_LOG
            fi
            cp $CURRENT_LOG $PREVIOUS_LOG
        fi
    done
}

run_scan
compare_scans