#!/bin/bash

set -Eeuo pipefail

GREEN='\033[0;32m'
RED='\033[0;31m'
YELLOW='\033[0;33m'
BLUE='\033[0;34m'
NC='\033[0m'

IMAGE=${1:-ploughshares:dev}
SEVERITY=${TRIVY_SEVERITY:-HIGH,CRITICAL}
EXIT_CODE=${TRIVY_EXIT_CODE:-1}
IGNORE_UNFIXED=${IGNORE_UNFIXED:-1}
TRIVY_TAG=${TRIVY_TAG:-latest}

echo -e "${BLUE}Scanning image ${IMAGE} with Trivy (severity: ${SEVERITY})${NC}"
echo "=================================================="

if ! command -v docker >/dev/null 2>&1; then
  echo -e "${RED}Docker is required to run Trivy via container.${NC}"
  exit 2
fi

TRIVY_ARGS=(image "${IMAGE}" --severity "${SEVERITY}" --exit-code "${EXIT_CODE}" --no-progress)
if [[ "${IGNORE_UNFIXED}" == "1" ]]; then
  TRIVY_ARGS+=(--ignore-unfixed)
fi

if command -v trivy >/dev/null 2>&1; then
  echo -e "${YELLOW}Using local trivy binary${NC}"
  # shellcheck disable=SC2068
  if trivy ${TRIVY_ARGS[@]}; then
    echo -e "${GREEN}No ${SEVERITY} vulnerabilities found in ${IMAGE}.${NC}"
    exit 0
  else
    echo -e "${RED}Vulnerabilities detected in ${IMAGE}.${NC}"
    exit 1
  fi
else
  echo -e "${YELLOW}Local trivy not found; using Docker image aquasec/trivy:${TRIVY_TAG}${NC}"
  # Use Dockerized trivy
  # shellcheck disable=SC2068
  if docker run --rm \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -e TRIVY_CACHE_DIR=/root/.cache/trivy \
    aquasec/trivy:${TRIVY_TAG} ${TRIVY_ARGS[@]}; then
    echo -e "${GREEN}No ${SEVERITY} vulnerabilities found in ${IMAGE}.${NC}"
    exit 0
  else
    echo -e "${RED}Vulnerabilities detected in ${IMAGE}.${NC}"
    exit 1
  fi
fi