stages:
  - scan

cache:
  paths:
    - .sonar/cache
    - .cache

# ============================================================
# 🧠 Step 1: Security Scan dengan gosec (tidak hentikan pipeline)
# ============================================================
gosec_scan:
  stage: scan
  image: golang:1.24
  script:
    - apt-get update && apt-get install -y jq
    - go install github.com/securego/gosec/v2/cmd/gosec@latest
    - echo "🔍 Menjalankan scan keamanan Go..."
    - gosec -fmt=json -out=gosec-report.json ./... || true
    - echo "📄 Jumlah issue terdeteksi:" && cat gosec-report.json | jq '.Issues | length'
  artifacts:
    when: always
    paths:
      - gosec-report.json
    expire_in: 1 week
  allow_failure: false
  only:
    - devops-ec2

# ============================================================
# 🧱 Step 2: Analisis SonarQube (gabung hasil gosec)
# ============================================================
sonarqube_analysis:
  stage: scan
  image: sonarsource/sonar-scanner-cli:latest
  script:
    - apk add --no-cache jq
    - echo "🚀 Menjalankan analisis SonarQube..."
    - if [ -f "go.mod" ]; then go test ./... -coverprofile=coverage.out || true; fi

    # Konversi hasil gosec ke format SonarQube Generic Issue
    - echo "🧩 Mengonversi hasil gosec untuk SonarQube..."
    - |
      jq -r '.Issues[] | {engineId: "gosec", ruleId: .rule_id, primaryLocation: {message: .details, filePath: .file, textRange: {startLine: .line}}, type: "VULNERABILITY", severity: .severity}' gosec-report.json |
      jq -s '{issues: .}' > gosec-generic-report.json

    # Kirim analisis ke SonarQube
    - sonar-scanner \
        -Dsonar.projectKey="mbu-lti-backend" \
        -Dsonar.projectName="MBU LTI Backend" \
        -Dsonar.sources="." \
        -Dsonar.host.url="https://status.mbugroup.id/sonar" \
        -Dsonar.login="sqp_57fbffb8337608c331091dd1544569df613a2d3f" \
        -Dsonar.externalIssuesReportPaths="gosec-generic-report.json" \
        -Dsonar.go.coverage.reportPaths="coverage.out" \
        -Dsonar.sourceEncoding="UTF-8" \
        -Dsonar.verbose=true
  dependencies:
    - gosec_scan
  artifacts:
    when: always
    paths:
      - .scannerwork
      - gosec-generic-report.json
      - coverage.out
    expire_in: 1 week
  only:
    - devops-ec2