{{- if .Values.pipeline.enabled }}
apiVersion: argoproj.io/v1alpha1
kind: ClusterWorkflowTemplate
metadata:
  name: {{ .Values.pipeline.name | quote }}
spec:
  serviceAccountName: {{ .Values.pipeline.serviceAccountName | quote }}
  entrypoint: security-pipeline
  onExit: pipeline-exit-hook
  volumeClaimTemplates:
    - metadata:
        name: workspace
      spec:
        accessModes:
          - ReadWriteOnce
        resources:
          requests:
            storage: {{ .Values.pipeline.workspace.storage | quote }}
  arguments:
    parameters:
      - name: working-dir
        value: {{ .Values.pipeline.workingDir | quote }}
      - name: fail-on-cvss
        value: {{ .Values.pipeline.failOnCvss | quote }}
      - name: repo-url
      - name: git-revision
        value: {{ .Values.pipeline.gitRevision | quote }}
  templates:
    - name: security-pipeline
      dag:
        tasks:
          - name: clone
            template: clone-repo
            arguments:
              parameters:
                - name: repo-url
                  value: {{ `{{workflow.parameters.repo-url}}` | quote }}
                - name: git-revision
                  value: {{ `{{workflow.parameters.git-revision}}` | quote }}
          - name: scanners
            dependencies:
              - clone
            template: parallel-scanners
            arguments:
              parameters:
                - name: working-dir
                  value: {{ `{{workflow.parameters.working-dir}}` | quote }}
          - name: enforce-policy
            dependencies:
              - scanners
            template: enforce-policy
            arguments:
              parameters:
                - name: fail-on-cvss
                  value: {{ `{{workflow.parameters.fail-on-cvss}}` | quote }}
{{- if .Values.storage.enabled }}
          - name: upload-storage
            dependencies:
              - scanners
            template: upload-storage
{{- end }}
{{- if .Values.defectdojo.enabled }}
          - name: upload-defectdojo
            dependencies:
              - scanners
            template: upload-defectdojo
{{- end }}
    - name: clone-repo
      inputs:
        parameters:
          - name: repo-url
          - name: git-revision
      container:
        image: {{ .Values.images.git | quote }}
        command:
          - sh
          - -c
        args:
          - git clone --branch {{ `{{inputs.parameters.git-revision}}` | quote }} --single-branch {{ `{{inputs.parameters.repo-url}}` | quote }} /workspace
        volumeMounts:
          - name: workspace
            mountPath: /workspace
    - name: parallel-scanners
      inputs:
        parameters:
          - name: working-dir
      dag:
        tasks:
          {{- range $scanner := list "trufflehog" "semgrep" "kics" "socketdev" "syft-grype" "pulumi-crossguard" }}
          - name: {{ $scanner }}
            template: scan-{{ $scanner }}
            arguments:
              parameters:
                - name: working-dir
                  value: {{ `{{inputs.parameters.working-dir}}` | quote }}
          {{- end }}
    - name: pipeline-exit-hook
      container:
        image: {{ .Values.images.curl | quote }}
        command:
          - sh
          - -c
        args:
          - |
            set -eu
            echo "Pipeline completed with status: {{ `{{workflow.status}}` }}"
{{ include "template.scan-trufflehog" . | nindent 4 }}
{{ include "template.scan-semgrep" . | nindent 4 }}
{{ include "template.scan-kics" . | nindent 4 }}
{{ include "template.scan-socketdev" . | nindent 4 }}
{{ include "template.scan-syft-grype" . | nindent 4 }}
{{ include "template.scan-pulumi-crossguard" . | nindent 4 }}
{{- if .Values.storage.enabled }}
{{ include "template.upload-storage" . | nindent 4 }}
{{- end }}
{{- if .Values.defectdojo.enabled }}
{{ include "template.upload-defectdojo" . | nindent 4 }}
{{- end }}
{{ include "template.enforce-policy" . | nindent 4 }}
{{- end }}