stages:
  - scan

cache:
  paths:
    - .sonar/cache
    - .cache

# ============================================================
# 🧠 Step 1: Security Scan dengan gosec
# ============================================================
gosec_scan:
  stage: scan
  image: golang:1.23
  script:
    - go install github.com/securego/gosec/v2/cmd/gosec@latest
    - echo "🔍 Menjalankan scan keamanan Go..."
    - gosec -fmt=json -out=gosec-report.json ./...
    - cat gosec-report.json | jq '.Issues | length'
  artifacts:
    when: always
    paths:
      - gosec-report.json
    expire_in: 1 week
  allow_failure: false
  only:
    - merge_requests
    - branches

# ============================================================
# 🧱 Step 2: Analisis SonarQube
# ============================================================
sonarqube_analysis:
  stage: scan
  image: sonarsource/sonar-scanner-cli:latest
  script:
    - echo "🚀 Menjalankan analisis SonarQube..."
    - sonar-scanner \
        -Dsonar.projectKey="mbu-lti-backend" \
        -Dsonar.projectName="MBU LTI Backend" \
        -Dsonar.sources="." \
        -Dsonar.host.url="https://status.mbugroup.id/sonar" \
        -Dsonar.login="sqp_97b3cb2f80ce932fb07b5641aeecc8704b76d1a7" \
        -Dsonar.sourceEncoding="UTF-8" \
        -Dsonar.verbose=true
  only:
    - merge_requests
    - branches
  allow_failure: false
  dependencies:
    - gosec_scan
  artifacts:
    when: always
    paths:
      - .scannerwork
    expire_in: 1 week