name: checks-trivy
on:
  workflow_call:
    ssh-private-key:
      required: true
    ssh-known-hosts:
      required: true

jobs:
  checks-trivy:
    name: checks-trivy
    runs-on: ubuntu-latest

    steps:
      - uses: hashicorp/setup-terraform@v2
        with:
          terraform_version: 1.5.7
          cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
      - name: Clone repo
        uses: actions/checkout@v4
      - name: Setup SSH key
        uses: benoitchantre/setup-ssh-authentication-action@1.0.1
        with:
          private-key: ${{ secrets.ssh-private-key }}
          private-key-name: id_ed25519
          known-hosts: ${{ secrets.ssh-known-hosts }}
      - name: Run terraform init
        shell: bash
        run: terraform init
      - name: Run Trivy vulnerability scanner in IaC mode (LOW/MED)
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: "config"
          hide-progress: false
          format: "table"
          exit-code: "0"
          ignore-unfixed: true
          severity: "LOW,MEDIUM"
      - name: Run Trivy vulnerability scanner in IaC mode (HIGH/CRIT)
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: "config"
          hide-progress: false
          format: "table"
          exit-code: "1"
          ignore-unfixed: true
          severity: "CRITICAL,HIGH"