#!/usr/bin/env bash
set -euo pipefail

TARGET_ROOT="${1:-.}"
BLACKSHIELD_API_URL="${BLACKSHIELD_API_URL:-https://api.blackshield.chaplau.com}"
BLACKSHIELD_PIPELINE_IMAGE="${BLACKSHIELD_PIPELINE_IMAGE:-public.ecr.aws/blackshield-security/pipeline-scanner:1.0.0}"

replace_literal() {
  local file_path="$1"
  local placeholder="$2"
  local replacement="$3"
  local tmp_file="${file_path}.tmp.$$"

  sed "s|${placeholder}|${replacement}|g" "$file_path" > "$tmp_file"
  mv "$tmp_file" "$file_path"
}

cat > "$TARGET_ROOT/.gitlab-ci.yml" <<'EOF'
stages:
  - security

variables:
  BLACKSHIELD_API_URL: "https://api.blackshield.chaplau.com"
  # Set BLACKSHIELD_API_KEY in Settings -> CI/CD -> Variables (masked + protected)

.scanner-base: &scanner-base
  stage: security
  image: __BLACKSHIELD_PIPELINE_IMAGE__
  script:
    - python -m pipeline.entrypoint
  variables:
    SCAN_TARGET: "$CI_PROJECT_DIR"
    REPOSITORY_NAME: "$CI_PROJECT_PATH"
    SCAN_INTERVAL_SECONDS: "0"
    LOG_LEVEL: "INFO"
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_PIPELINE_SOURCE == "schedule"
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

scan:trivy:
  <<: *scanner-base
  variables:
    SCAN_TOOL: trivy

scan:semgrep:
  <<: *scanner-base
  variables:
    SCAN_TOOL: semgrep

scan:syft:
  <<: *scanner-base
  variables:
    SCAN_TOOL: syft

scan:trufflehog:
  <<: *scanner-base
  before_script:
    - git fetch --unshallow || true
  variables:
    SCAN_TOOL: trufflehog
EOF

replace_literal "$TARGET_ROOT/.gitlab-ci.yml" "https://api.blackshield.chaplau.com" "$BLACKSHIELD_API_URL"
replace_literal "$TARGET_ROOT/.gitlab-ci.yml" "__BLACKSHIELD_PIPELINE_IMAGE__" "$BLACKSHIELD_PIPELINE_IMAGE"

printf "Wrote source bundle files:
"
printf "  - %s\n" "$TARGET_ROOT/.gitlab-ci.yml"