{{- if .Values.pipeline.enabled }}
apiVersion: argoproj.io/v1alpha1
kind: ClusterWorkflowTemplate
metadata:
  name: amp-security-pipeline-v1.0.0
spec:
  serviceAccountName: default
  entrypoint: security-pipeline
  volumeClaimTemplates:
    - metadata:
        name: workspace
      spec:
        accessModes:
          - ReadWriteOnce
        resources:
          requests:
            storage: 1Gi
  arguments:
    parameters:
      - name: working-dir
        value: .
      - name: fail-on-cvss
        value: "7.0"
      - name: repo-url
      - name: git-revision
        value: main
  templates:
    - name: security-pipeline
      dag:
        tasks:
          - name: clone
            template: clone-repo
            arguments:
              parameters:
                - name: repo-url
                  value: "{{workflow.parameters.repo-url}}"
                - name: git-revision
                  value: "{{workflow.parameters.git-revision}}"
          - name: scanners
            dependencies:
              - clone
            template: parallel-scanners
            arguments:
              parameters:
                - name: working-dir
                  value: "{{workflow.parameters.working-dir}}"
                - name: fail-on-cvss
                  value: "{{workflow.parameters.fail-on-cvss}}"
          - name: upload-storage
            dependencies:
              - scanners
            template: upload-storage
          - name: upload-defectdojo
            dependencies:
              - scanners
            template: upload-defectdojo
          - name: enforce-policy
            dependencies:
              - upload-storage
              - upload-defectdojo
            template: enforce-policy
            arguments:
              parameters:
                - name: fail-on-cvss
                  value: "{{workflow.parameters.fail-on-cvss}}"
          - name: sinks-and-enforcement
            dependencies:
              - scanners
            template: sinks-and-enforcement
    - name: clone-repo
      inputs:
        parameters:
          - name: repo-url
          - name: git-revision
      container:
        image: alpine/git:2.45.2
        command:
          - sh
          - -c
        args:
          - git clone --branch "{{inputs.parameters.git-revision}}" --single-branch "{{inputs.parameters.repo-url}}" /workspace
        volumeMounts:
          - name: workspace
            mountPath: /workspace
    - name: parallel-scanners
      inputs:
        parameters:
          - name: working-dir
          - name: fail-on-cvss
      dag:
        tasks:
          {{- range $scanner := list "trufflehog" "semgrep" "kics" "socketdev" "syft-grype" "defectdojo" }}
          - name: {{ $scanner }}
            template: scan-{{ $scanner }}
            arguments:
              parameters:
                - name: working-dir
                  value: "{{inputs.parameters.working-dir}}"
          {{- end }}
    - name: sinks-and-enforcement
      container:
        image: curlimages/curl:latest
        command:
          - sh
          - -c
        args:
          - |
            set -eu
            echo "Pipeline complete. You can configure a webhook notification here."
            if [ -n "${SLACK_WEBHOOK_URL:-}" ]; then
              curl -X POST -H 'Content-type: application/json' --data '{"text":"Security Pipeline Finished"}' "${SLACK_WEBHOOK_URL}" || true
            fi
{{ include "template.scan-syft-grype" . | indent 4 }}
{{ include "template.scan-socketdev" . | indent 4 }}
{{ include "template.scan-defectdojo" . | indent 4 }}
{{ include "template.scan-semgrep" . | indent 4 }}
{{ include "template.scan-trufflehog" . | indent 4 }}
{{ include "template.scan-kics" . | indent 4 }}
{{ include "template.upload-defectdojo" . | indent 4 }}
{{ include "template.upload-storage" . | indent 4 }}
{{ include "template.enforce-policy" . | indent 4 }}
{{- end }}