name: Scan Image for CVEs

on:
  push:
    branches:
      - main
      - develop

env: # global: unkritische, strukturgebende Variablen
  TARGET_HOST: host.containers.internal
  TARGET_USER: traefik
  CONTAINER_NAME: localhost/valtrix-website

jobs:
  scan_image:
    runs-on: ubuntu-latest
    env: # Job-spezifisch: Secrets und sensible Werte
      SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
      SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}

    steps:
      - name: Setup SSH for git/scp
        shell: bash
        run: |
          install -m 700 -d ~/.ssh
          printf "%s\n" "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          printf "%s\n" "$SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts || true
          chmod 644 ~/.ssh/known_hosts
          # Ensure host keys exist
          (ssh-keygen -F "$TARGET_HOST" >/dev/null || ssh-keyscan -H "$TARGET_HOST" >> ~/.ssh/known_hosts) || true
          (ssh-keygen -F gitea.smb-corp.de >/dev/null || ssh-keyscan -H gitea.smb-corp.de >> ~/.ssh/known_hosts) || true
          
      - name: Scan container image with Trivy
        shell: bash
        run: |
          ssh -i ~/.ssh/id_ed25519 $TARGET_USER@$TARGET_HOST "
            set -euo pipefail
            export CONTAINER_NAME='$CONTAINER_NAME'
            trivy image localhost/valtrix-website:latest
          "