.github/workflows/CI.yaml

name: CI/CD-pipeline-project

on:
  push:
    branches:
      - feature/*
      - main

jobs:
  sonarcloud:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
      with:
        fetch-depth: 0
    - name: SonarCloud Scan
      uses: sonarsource/sonarcloud-github-action@v3.1.0
      env:
        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
    - name: Send failure alert to Discord
      if: failure()
      run: |
        curl -H "Content-Type: application/json" \
        -d '{"content": "❌ **SonarCloud Scan** a échoué sur la branche `${{ github.ref }}`"}' \
        ${{ secrets.DISCORD_WEBHOOK_URL }}

  snyk:
    runs-on: ubuntu-latest
    needs: sonarcloud
    continue-on-error: true
    steps:
      - uses: actions/checkout@master
      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/python@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      - name: Send vulnerability alert to Discord
        if: failure()
        run: |
          curl -H "Content-Type: application/json" \
          -d '{"content": "⚠️ **Snyk** a détecté des vulnérabilités critiques ! Analysez le rapport immédiatement."}' \
          ${{ secrets.DISCORD_WEBHOOK_URL }}
   
  build-and-push:
    name: Build and Push Docker Image to Docker Hub
    needs: snyk
    runs-on: ubuntu-latest
    steps:
      - name: Check out the repo
        uses: actions/checkout@v2  

      - name: Log in to Docker Hub
        uses: docker/login-action@v2 
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Build Docker image
        run: docker build -t "${{ secrets.DOCKER_IMAGE_NAME }}:latest" .

      - name: Push Docker image
        run: docker push "${{ secrets.DOCKER_IMAGE_NAME }}:latest"

  docker_scout_scan:
    needs: build-and-push
    runs-on: ubuntu-latest
    continue-on-error: true
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Log in to Docker Hub
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Pull Docker image
        run: docker pull "${{ secrets.DOCKER_IMAGE_NAME }}:latest"
      
      - name: Docker Scout
        id: docker-scout
        uses: docker/scout-action@v1
        with:
          command: cves
          image: ${{ steps.meta.outputs.tags }}
          only-severities: critical,high
          exit-code: true

      - name: Send vulnerability alert to Discord
        if: failure()
        run: |
          curl -H "Content-Type: application/json" \
          -d '{"content": "❗ **Docker Scout** a détecté des vulnérabilités critiques dans l''image Docker."}' \
          ${{ secrets.DISCORD_WEBHOOK_URL }}  

  trivy:
    needs: docker_scout_scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Log in to Docker Hub
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Pull Docker image
        run: docker pull "${{ secrets.DOCKER_IMAGE_NAME }}:latest"

      - name: Run Trivy - Generate report
        run: |
          docker run --rm -v ${{ github.workspace }}/.trivycache:/root/.cache/ \
            -v ${{ github.workspace }}:/workspace aquasec/trivy image --exit-code 0 \
            --format json --output "/workspace/trivy-report.json" "${{ secrets.DOCKER_IMAGE_NAME }}:latest"

      - name: Upload Trivy report
        uses: actions/upload-artifact@v3
        with:
          name: trivy-report
          path: trivy-report.json

      - name: Send vulnerability alert to Discord
        if: failure()
        run: |
          curl -H "Content-Type: application/json" \
          -d '{"content": "❗ **Trivy** a détecté des vulnérabilités dans l'image Docker ! Vérifiez le rapport pour plus de détails."}' \
          ${{ secrets.DISCORD_WEBHOOK_URL }}