pipeline {
  agent any

  options {
    timestamps()
    disableConcurrentBuilds()
  }

  environment {
    REGISTRY      = "git.brammie15.dev"
    IMAGE_NAME    = "brammie15/resendit"
    REGISTRY_CREDS = "registry-creds"
    IMAGE         = "${REGISTRY}/${IMAGE_NAME}"
    DD_URL        = "https://DD.brammie15.dev"
    DD_API_KEY    = credentials('dd-api-key')
    NVD_API_KEY   = credentials("nvd-api-key")
  }

  stages {

    stage('Debug') {
      steps {
        sh 'echo "WORKSPACE: $WORKSPACE" && echo "PWD: $(pwd)" && ls -la'
      }
    }

    stage('Checkout') {
      steps {
        checkout scm
      }
    }

    stage('SAST - Semgrep') {
      steps {
        sh """
          docker run --rm -v "\$(pwd):/src" \
            returntocorp/semgrep:latest \
            semgrep scan --config=auto --debug \
            --json --output /src/semgrep.json \
            /src/internal /src/cmd || true

          echo "After semgrep:"
          ls -la
        """
      }
    }

    stage('Upload to DefectDojo') {
      steps {
        sh """
          curl -X POST "${DD_URL}/api/v2/import-scan/" \
            -H "Authorization: Token ${DD_API_KEY}" \
            -F "scan_type=Semgrep JSON Report" \
            -F "file=@\$(pwd)/semgrep.json" \
            -F "product_name=Sendit" \
            -F "engagement_name=Jenkins-CI" \
            -F "auto_create_context=true" \
            -F "close_old_findings=true"
        """
      }
    }

    stage('Build image') {
      steps {
        script {
          def shortSha = sh(script: 'git rev-parse --short=12 HEAD', returnStdout: true).trim()
          env.IMAGE_TAG_SHA = shortSha
          sh """
            docker build \
              --build-arg GIT_COMMIT=${IMAGE_TAG_SHA} \
              -t ${IMAGE}:${IMAGE_TAG_SHA} .
          """
        }
      }
    }

    stage('Login to registry') {
      steps {
        withCredentials([usernamePassword(credentialsId: "${REGISTRY_CREDS}", usernameVariable: 'REG_USER', passwordVariable: 'REG_PASS')]) {
          sh 'echo "$REG_PASS" | docker login ${REGISTRY} -u "$REG_USER" --password-stdin'
        }
      }
    }

    stage('Push image') {
      steps {
        script {
          sh "docker push ${IMAGE}:${IMAGE_TAG_SHA}"
          def branch = (env.BRANCH_NAME ?: sh(script: 'git rev-parse --abbrev-ref HEAD', returnStdout: true).trim())
          def safeBranch = branch.replaceAll('[^a-zA-Z0-9_.-]', '-')
          sh """
            docker tag ${IMAGE}:${IMAGE_TAG_SHA} ${IMAGE}:${safeBranch}
            docker push ${IMAGE}:${safeBranch}
          """
          if (branch == 'master') {
            sh """
              docker tag ${IMAGE}:${IMAGE_TAG_SHA} ${IMAGE}:latest
              docker push ${IMAGE}:latest
            """
          }
        }
      }
    }

  }

  post {
    always {
      sh 'docker logout ${REGISTRY} || true'
      sh 'docker image rm -f ${IMAGE}:${IMAGE_TAG_SHA} || true'
      sh 'docker image prune -f || true'
//       sh 'rm -f semgrep.sarif || true'
    }
  }
}