#!/usr/bin/env bash
set -euo pipefail

TARGET_ROOT="${1:-.}"
BLACKSHIELD_PIPELINE_IMAGE="${BLACKSHIELD_PIPELINE_IMAGE:-public.ecr.aws/blackshield-security/pipeline-scanner:1.0.0}"

replace_literal() {
  local file_path="$1"
  local placeholder="$2"
  local replacement="$3"
  local tmp_file="${file_path}.tmp.$$"

  sed "s|${placeholder}|${replacement}|g" "$file_path" > "$tmp_file"
  mv "$tmp_file" "$file_path"
}

mkdir -p "$TARGET_ROOT/.github/workflows"
cat > "$TARGET_ROOT/.github/workflows/security-scan.yml" <<'EOF'
name: Security Scan

on:
  push:
    branches: [main, develop, "release/**"]
  pull_request:
  schedule:
    # Full scan every Monday at 02:00 UTC
    - cron: "0 2 * * 1"
  workflow_dispatch:
    inputs:
      tool:
        description: "Scanner to run (leave blank for all)"
        required: false
        default: ""

jobs:
  scan:
    name: "${{ matrix.tool }}"
    runs-on: ubuntu-latest
    permissions:
      contents: read       # checkout
      security-events: write  # upload SARIF (optional)

    strategy:
      fail-fast: false
      matrix:
        tool:
          - trivy
          - semgrep
          - trufflehog
          - syft

    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          # TruffleHog uses git mode against the local checkout when history is present
          fetch-depth: ${{ matrix.tool == 'trufflehog' && 0 || 1 }}

      - name: Run ${{ matrix.tool }}
        run: |
          docker run --rm \
            --env BLACKSHIELD_API_URL="${{ vars.BLACKSHIELD_API_URL }}" \
            --env BLACKSHIELD_API_KEY="${{ secrets.BLACKSHIELD_API_KEY }}" \
            --env SCAN_TOOL="${{ matrix.tool }}" \
            --env SCAN_TARGET="/workspace" \
            --env REPOSITORY_NAME="${{ github.repository }}" \
            --env SCAN_INTERVAL_SECONDS="0" \
            --env LOG_LEVEL="INFO" \
            --volume "${{ github.workspace }}:/workspace:ro" \
            __BLACKSHIELD_PIPELINE_IMAGE__

  # Optional: gate merges on critical findings
  gate:
    name: Gate on critical findings
    needs: scan
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request'
    steps:
      - name: Check platform for open criticals
        run: |
          STATUS=$(curl -sf \
            -H "X-API-Key: ${{ secrets.BLACKSHIELD_API_KEY }}" \
            "${{ vars.BLACKSHIELD_API_URL }}/api/v1/ingest/gates/findings-summary?severity=critical&status=open&repository=${{ github.repository }}" \
            | python3 -c "import sys,json; d=json.load(sys.stdin); print('fail' if d.get('total',0)>0 else 'pass')")
          echo "Gate result: $STATUS"
          [ "$STATUS" = "pass" ]
EOF

replace_literal \
  "$TARGET_ROOT/.github/workflows/security-scan.yml" \
  "__BLACKSHIELD_PIPELINE_IMAGE__" \
  "$BLACKSHIELD_PIPELINE_IMAGE"

printf "Wrote source bundle files:
"
printf "  - %s\n" "$TARGET_ROOT/.github/workflows/security-scan.yml"