#!/bin/bash

# Security Scan Script
# This script runs various security checks on the portfolio project

set -e

echo "🔒 Starting security scan..."

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color

# Function to print colored output
print_status() {
    echo -e "${GREEN}✅ $1${NC}"
}

print_warning() {
    echo -e "${YELLOW}⚠️  $1${NC}"
}

print_error() {
    echo -e "${RED}❌ $1${NC}"
}

# Check if we're in the right directory
if [ ! -f "package.json" ]; then
    print_error "Please run this script from the project root directory"
    exit 1
fi

# 1. NPM Audit
echo "🔍 Running npm audit..."
if npm audit --audit-level=high; then
    print_status "NPM audit passed - no high/critical vulnerabilities found"
else
    print_warning "NPM audit found vulnerabilities - check the output above"
fi

# 2. Trivy scan (if available)
echo "🔍 Running Trivy vulnerability scan..."
if command -v trivy &> /dev/null; then
    if trivy fs --scanners vuln,secret --format table .; then
        print_status "Trivy scan completed successfully"
    else
        print_warning "Trivy scan found issues - check the output above"
    fi
else
    print_warning "Trivy not installed - skipping Trivy scan"
    echo "To install Trivy: brew install trivy"
fi

# 3. Check for secrets using advanced detection
echo "🔍 Checking for potential secrets in code..."
if ./scripts/check-secrets.sh; then
    print_status "No secrets found in code"
else
    print_error "Secrets detected - please review"
fi

# 4. Check for outdated dependencies
echo "🔍 Checking for outdated dependencies..."
if npm outdated; then
    print_status "All dependencies are up to date"
else
    print_warning "Some dependencies are outdated - consider updating"
fi

# 5. Check for known vulnerable packages
echo "🔍 Checking for known vulnerable packages..."
if npm audit --audit-level=moderate; then
    print_status "No moderate+ vulnerabilities found"
else
    print_warning "Some vulnerabilities found - run 'npm audit fix' to attempt fixes"
fi

echo ""
echo "🔒 Security scan completed!"
echo "For more detailed security analysis, consider:"
echo "  - Running 'npm audit fix' to fix vulnerabilities"
echo "  - Installing Trivy for comprehensive vulnerability scanning"
echo "  - Using tools like Snyk or GitHub Dependabot for ongoing monitoring"