name: Run Sec Scan

on:
  workflow_call:
    inputs:
      ecosystems:
        description: "Comma-separated ecosystems for setup-osv-db (see sec-actions/setup-osv-db)."
        required: false
        type: string
        default: "github-actions,npm,go,docker"
      cache-bucket-hours:
        description: "Cache key time bucket (hours) for setup-osv-db."
        required: false
        type: number
        default: 24
      osv-scanner-image:
        description: "Container image for OSV-Scanner (run with hardened docker options)."
        required: false
        type: string
        default: "ghcr.io/google/osv-scanner:latest"
    outputs:
      merged-sarif-artifact:
        description: "Artifact name containing the SARIF file (download this artifact; file inside is merged-sarif.json)."
        value: ${{ jobs.osv-scan.outputs.merged-sarif-artifact }}
      merged-sarif-path:
        description: "Path to the SARIF file inside the artifact (merged-sarif.json)."
        value: ${{ jobs.osv-scan.outputs.merged-sarif-path }}

jobs:
  osv-scan:
    runs-on: ubuntu-latest
    outputs:
      merged-sarif-artifact: ${{ steps.meta.outputs.merged-sarif-artifact }}
      merged-sarif-path: ${{ steps.meta.outputs.merged-sarif-path }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Setup offline OSV DB
        id: setup-db
        uses: https://gitea.t000-n.de/t.behrendt/sec-actions/setup-osv-db@main
        with:
          ecosystems: ${{ inputs.ecosystems }}
          cache-bucket-hours: ${{ inputs.cache-bucket-hours }}

      - name: Run OSV-Scanner in Docker (offline, no network, read-only)
        id: scan
        run: |
          set -euo pipefail
          SARIF_HOST_DIR="${RUNNER_TEMP}/osv-sarif-out"
          mkdir -p "${SARIF_HOST_DIR}"
          CACHE="${{ steps.setup-db.outputs.cache-dir }}"
          IMAGE="${{ inputs.osv-scanner-image }}"
          docker run --rm \
            --network none \
            --read-only \
            --tmpfs /tmp:rw,noexec,nosuid,size=256m \
            --cap-drop ALL \
            --security-opt no-new-privileges \
            -v "${GITHUB_WORKSPACE}:/work:ro" \
            -v "${CACHE}:/osv-db:ro" \
            -v "${SARIF_HOST_DIR}:/out" \
            -e OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY=/osv-db \
            "${IMAGE}" \
            scan source --offline-vulnerabilities --format sarif --output /out/merged-sarif.json -r /work

      - name: Artifact metadata
        id: meta
        run: |
          echo "merged-sarif-artifact=merged-sarif" >> "$GITHUB_OUTPUT"
          echo "merged-sarif-path=merged-sarif.json" >> "$GITHUB_OUTPUT"

      - uses: https://github.com/ChristopherHX/gitea-upload-artifact@v4
        with:
          name: merged-sarif
          path: ${{ runner.temp }}/osv-sarif-out/merged-sarif.json