#!/bin/bash
# fix some logic.
TIMEOUT=${TIMEOUT:-120m}
IGNORE_UNFIXED=${IGNORE_UNFIXED:-false}
LOW_PRIORITY=${LOW_PRIORITY:-true}

# Use SCANNERS_ENV if provided, otherwise default to vuln,misconfig,secret
SCANNERS_ENV=${SCANNERS_ENV:-"vuln,misconfig,secret"}

run_scan() {
    OLD_IFS="$IFS"
    IFS=','
    for SCANNER in $SCANNERS_ENV; do
        CURRENT_LOG="/log/trivy_scan_${SCANNER}.log"
        if [ "$LOW_PRIORITY" = "true" ]; then
            nice -n 19 trivy filesystem --cache-dir /tmp --timeout $TIMEOUT --scanners $SCANNER $( [ "$IGNORE_UNFIXED" = "true" ] && echo '--ignore-unfixed' ) /mnt > $CURRENT_LOG
        else
            trivy filesystem --cache-dir /tmp --timeout $TIMEOUT --scanners $SCANNER $( [ "$IGNORE_UNFIXED" = "true" ] && echo '--ignore-unfixed' ) /mnt > $CURRENT_LOG
        fi
    done
    IFS="$OLD_IFS"
}

compare_scans() {
    for SCANNER in "${SCANNERS[@]}"; do
        PREVIOUS_LOG="/log/previous_scan_${SCANNER}.log"
        CURRENT_LOG="/log/trivy_scan_${SCANNER}.log"
        SCAN_DATE=$(date +%Y.%m.%d)
        DIFF_LOG="/log/scandiff_${SCANNER}_$SCAN_DATE.log"

        if [ -f "$CURRENT_LOG" ]; then
            if [ -f "$PREVIOUS_LOG" ]; then
                diff $PREVIOUS_LOG $CURRENT_LOG > $DIFF_LOG
            fi
            cp $CURRENT_LOG $PREVIOUS_LOG
        fi
    done
}

run_scan
compare_scans