FROM golang:1.26-bookworm AS go-tools

ARG GITLEAKS_VERSION=v8.30.1
ARG OSV_SCANNER_VERSION=v2.4.0

RUN go install github.com/zricethezav/gitleaks/v8@${GITLEAKS_VERSION} \
  && go install github.com/google/osv-scanner/v2/cmd/osv-scanner@${OSV_SCANNER_VERSION}

FROM python:3.12-bookworm

ENV DEBIAN_FRONTEND=noninteractive \
    PIP_DISABLE_PIP_VERSION_CHECK=1 \
    PYTHONDONTWRITEBYTECODE=1

RUN apt-get update \
  && apt-get install -y --no-install-recommends \
    bash \
    ca-certificates \
    curl \
    git \
    gnupg \
    jq \
  && curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
  && apt-get install -y --no-install-recommends nodejs \
  && curl -fsSL https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor -o /usr/share/keyrings/trivy.gpg \
  && printf 'deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main\n' > /etc/apt/sources.list.d/trivy.list \
  && apt-get update \
  && apt-get install -y --no-install-recommends trivy \
  && rm -rf /var/lib/apt/lists/*

COPY --from=go-tools /go/bin/gitleaks /usr/local/bin/gitleaks
COPY --from=go-tools /go/bin/osv-scanner /usr/local/bin/osv-scanner
COPY requirements-audit.txt /tmp/requirements-audit.txt

RUN python -m pip install --upgrade pip \
  && python -m pip install --no-cache-dir -r /tmp/requirements-audit.txt \
  && python -m pip install --no-cache-dir "semgrep>=1.140,<2" \
  && python -m pip install --no-cache-dir --upgrade --no-deps "click>=8.3.3" \
  && npm install -g jscpd \
  && semgrep --version \
  && bandit --version \
  && ruff --version \
  && gitleaks version \
  && osv-scanner --version \
  && trivy --version \
  && jscpd --version

RUN mkdir -p /workspace \
  && chmod 0777 /workspace

WORKDIR /workspace

USER 65532:65532
HEALTHCHECK NONE

CMD ["bash", "tools/checks/check-security-audit.sh", "--mode", "ci", "--scope", "current"]
