name: Security

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  schedule:
    - cron: '0 0 * * *'  # Run daily at midnight

jobs:
  audit:
    name: Security Audit
    runs-on: ubuntu-latest
    
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Install Crystal
        uses: crystal-lang/install-crystal@v1
        with:
          crystal_version: 1.9.2

      - name: Install dependencies
        run: shards install

      - name: Check for vulnerable dependencies
        run: shards audit

      - name: Run static analysis
        run: |
          if [ -f bin/ameba ]; then
            bin/ameba
          else
            echo "Ameba not found in bin/, installing..."
            shards install
            bin/ameba
          fi

  docker-scan:
    name: Docker Image Scan
    runs-on: ubuntu-latest
    
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Build image
        run: docker build -t container-mom-operator:${{ github.sha }} .

      - name: Run Dockle
        uses: goodwithtech/dockle-action@v1
        with:
          image: container-mom-operator:${{ github.sha }}
          format: sarif
          output: dockle-results.sarif
          exit-code: '1'
          ignore: CIS-DI-0001

      - name: Upload Dockle scan results
        uses: github/codeql-action/upload-sarif@v2
        if: always()
        with:
          sarif_file: dockle-results.sarif
          category: Container Security