---
version: '3'

vars:
  DOCKERHUB_PROFILE: megabytelabs
  TAGS: latest slim

tasks:
  bandit:
    deps:
      - :install:python:dependencies
    desc: Check for Python code security issues
    log:
      error: '`bandit` reported some security issues that need to be fixed!'
      start: Running `bandit -r run.py`
      success: No security issues found with `bandit`!
    cmds:
      - |
        if [ -f run.py ]; then
          poetry run bandit -r run.py
        fi
      - |
        if [ -d src ]; then
          poetry run bandit -r src
        fi

  dockle:
    deps:
      - :install:software:dockle
      - :install:software:jq
    desc: Analyze and lint the Docker container using Dockle
    summary: |
      # Analyze and lint Docker containers with Dockle

      Dockle is a Docker image linter that reports security tips and conflicts with best practices. It does
      more than what Hadolint does, according to their GitHub page. Instead of linting the Dockerfile, it
      lints the actual image.

      **Example usage for scanning standard Docker repository (with `slim` build):**
      `task security:dockle`

      **Example usage for any image:**
      `task security:dockle -- namespace/image:tag`

      For more information, see [Dockle's GitHub page](https://github.com/goodwithtech/dockle).
    log:
      error: Dockle found some errors that need to be fixed!
      start: Scanning image(s) with Dockle
      success: Successfully completed scan with Dockle
    cmds:
      - |
        {{if .CLI_ARGS}}
          dockle {{.CLI_ARGS}}
        {{else}}
          DOCKER_IMAGE="$(jq -r '.slug' .variables.json)"
          for TAG in {{.TAGS}}; do
            dockle "{{.DOCKERHUB_PROFILE}}/${DOCKER_IMAGE}:${TAG}"
          done
        {{end}}

  gitleaks:
    deps:
      - :install:software:gitleaks
    desc: Scans repository (including git history) for possible leaked keys
    summary: |
      # Scan repository with Gitleaks

      Find accidentally committed passwords, private keys, and API keys by scanning the repository with
      Gitleaks.

      **Example of scanning current repository:**
      `task lint:gitleaks`

      **Example of scanning a public git repository:**
      `task lint:gitleaks -- https://github.com/ProfessorManhattan/Windows12`

      For more information, see the [Gitleaks GitHub page](https://github.com/zricethezav/gitleaks).
    log:
      error: Possible leak detected by `gitleaks`
      start: Scanning repository with `gitleaks`
      success: Successfully completed `gitleaks` repository scan for secrets
    cmds:
      - |
        {{if .CLI_ARGS}}
          gitleaks --repo-url '{{.CLI_ARGS}}' -v
        {{else}}
          gitleaks -p . -v
        {{end}}

  grype:
    deps:
      - :install:software:grype
    desc: Scan container images and file systems for security issues using Grype
    summary: |
      # Scan containers and file systems using Grype

      Grype is a container and file system security scanner. This task is simply an alias for
      the `grype` command that will first ensure it is installed before running the command.

      **Example usage:**
      `task grype -- ubuntu:latest --fail-on medium`
    log:
      error: Grype found some potential issues!
      start: Scanning with Grype
      success: Scan completed by Grype
    cmds:
      - grype {{.CLI_ARGS}}

  private-keys:
    deps:
      - :install:pipx:pre-commit-hooks
    desc: Scan for private keys
    summary: |
      # Scan for private keys

      This task will scan the project for private keys that might not belong where they are. You
      can pass this task a single file or let it loop through the project. If you loop through
      the project, common folders like 'node_modules/' and 'venv/' will be ignored.

      **Example scanning the whole project:**
      `task lint:private-keys`

      **Example scanning single file:**
      `task lint:private-keys -- filename.ext`
    log:
      error: Private keys were found - make sure you do not commit private keys!
      start: Scanning for private keys
      success: No private keys were found!
    cmds:
      - |
        PATH="$PATH:$HOME/.local/bin"
        {{if .CLI_ARGS}}
          {{.PYTHON_HANDLE}}detect-private-key {{.CLI_ARGS}}
        {{else}}
          find . -type d \( {{.IGNORE_FOLDERS}} \) -prune -o -type f -print0 | xargs -0 -r -n1 {{.PYTHON_HANDLE}}detect-private-key
        {{end}}

  snyk:
    deps:
      - :install:npm:snyk
      - :install:software:jq
    desc: Analyze the Docker container for security vulnerabilities with Snyk (requires login)
    summary: |
      # Analyze the Docker container with Snyk

      One of the services Snyk provides is the capability to identify Docker container vulnerabilities. These
      vulnerabilities can potentially be used by bad actors. Normally, care should be taken to fix
      the vulnerabilities Snyk reports whenever possible. To use Snyk, you must be authenticated with their
      service. Signing up is free and easy (albeit, there is a limit to the number of scans you can run for free).
      All you have to do is run `snyk auth` with the `snyk` NPM package installed.

      **Example usage for scanning standard Docker repository (with `slim` build and Dockerfile in root directory):**
      `task security:snyk`

      **Example usage for any image:**
      `task security:snyk -- namespace/image:tag`

      For more information, see [Snyk's website](https://snyk.io/what-is-snyk/).
    log:
      error: '`snyk` reported security errors!'
      start: Scanning {{if .CLI_ARGS}}`{{.CLI_ARGS}}`{{else}}all tags of the Dockerfile{{end}} with `snyk`
      success: Passed `snyk` security test
    cmds:
      - task: snyk:login
      - |
        {{if .CLI_ARGS}}
          snyk test --docker {{.CLI_ARGS}}
        {{else}}
          for TAG in {{.TAGS}}; do
            DOCKER_IMAGE="$(jq -r '.slug' .variables.json)"
            snyk test --docker {{.DOCKERHUB_PROFILE}}/${DOCKER_IMAGE}:${TAG} --file=Dockerfile
          done
        {{end}}

  snyk:login:
    env:
      SNYK_API_TOKEN:
        sh: snyk config get api
    log:
      error: Encountered error while logging in with `snyk auth`
      start: Logging in with `snyk auth`
      success: Successfully authenticated with `snyk auth`
    cmds:
      - snyk auth
    status:
      - '[ ! -z "$SNYK_API_TOKEN" ]'

  trivy:
    deps:
      - :install:software:jq
      - :install:software:trivy
    desc: Analyze the Docker container for security vulnerabilities with Trivy
    summary: |
      # Analyze the Docker container with Trivy

      Trivy is a simple and comprehensive vulnerability and misconfiguration scanner for containers
      and other artifacts. This task leverages Trivy's ability to report possible vulnerabilities in
      the Docker container.

      **Example usage for scanning both the 'latest' and 'slim' build in a standard Docker repository:**
      `task security:trivy`

      **Example usage for scanning any image:**
      `task security:trivy -- alpine:latest`

      For more information, see [Trivy's website](https://aquasecurity.github.io/trivy/).
    log:
      error: Trivy detected one or more significant vulnerabilities in the image(s)
      start: Analyzing Docker image with Trivy
      success: Trivy reported no major vulnerabilities
    cmds:
      - |
        {{if .CLI_ARGS}}
          trivy image {{.CLI_ARGS}}
        {{else}}
          DOCKER_IMAGE="$(jq -r '.slug' .variables.json)"
          for TAG in {{.TAGS}}; do
            trivy image {{.DOCKERHUB_PROFILE}}/${DOCKER_IMAGE}:${TAG}
          done
        {{end}}