pipeline {
  # agent { node { label 'podman && trivy && aws' } }
  agent any
  stages {
    stage('Build'){
        steps {
            sh 'make build'
        }
    }
    stage('Scan'){
        environment { 
            TRIVY_TEMPLATE = "@${env.WORKSPACE}/html.tpl"
	    TRIVY_FORMAT = "template"
	    TRIVY_OUTPUT = "reports/trivy.html"
        }
        steps {
            // Scan via trivy
            sh 'mkdir -p reports'
            sh 'make scan'
            publishHTML target : [
                allowMissing: true,
                alwaysLinkToLastBuild: true,
                keepAll: true,
                reportDir: 'reports',
                reportFiles: 'trivy.html',
                reportName: 'Trivy Scan',
                reportTitles: 'Trivy Scan'
            ]

            // Scan again and fail on CRITICAL vulns
            sh 'TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=CRITICAL make scan'
        }
    }
    stage('Push'){
        steps {
            sh 'make push'
        }
    }
  }
}