stages:
  - scan

cache:
  paths:
    - .sonar/cache
    - .cache

# ============================================================
# 🧠 Step 1: Security Scan dengan gosec (pakai Go 1.24)
# ============================================================
gosec_scan:
  stage: scan
  image: golang:1.24
  script:
    - go install github.com/securego/gosec/v2/cmd/gosec@latest
    - echo "🔍 Menjalankan scan keamanan Go..."
    - gosec -fmt=json -out=gosec-report.json ./...
    - echo "📄 Jumlah issue terdeteksi:" && cat gosec-report.json | jq '.Issues | length'
  artifacts:
    when: always
    paths:
      - gosec-report.json
    expire_in: 1 week
  allow_failure: false
  only:
    - devops-ec2

# ============================================================
# 🧱 Step 2: Analisis SonarQube
# ============================================================
sonarqube_analysis:
  stage: scan
  image: sonarsource/sonar-scanner-cli:latest
  script:
    - echo "🚀 Menjalankan analisis SonarQube..."
    - if [ -f "go.mod" ]; then go test ./... -coverprofile=coverage.out || true; fi
    - sonar-scanner \
        -Dsonar.projectKey="mbu-lti-backend" \
        -Dsonar.projectName="MBU LTI Backend" \
        -Dsonar.sources="." \
        -Dsonar.host.url="https://status.mbugroup.id/sonar" \
        -Dsonar.login="sqp_97b3cb2f80ce932fb07b5641aeecc8704b76d1a7" \
        -Dsonar.go.coverage.reportPaths="coverage.out" \
        -Dsonar.sourceEncoding="UTF-8" \
        -Dsonar.verbose=true
  only:
    - devops-ec2
  allow_failure: false
  dependencies:
    - gosec_scan
  artifacts:
    when: always
    paths:
      - .scannerwork
      - coverage.out
    expire_in: 1 week