FROM ubuntu:24.04

ENV DEBIAN_FRONTEND=noninteractive

# --- Tool versions ---
# Check each project's releases page for updates.
ENV GITLEAKS_VERSION=8.30.0
ENV TRUFFLEHOG_VERSION=3.88.1
ENV TRIVY_VERSION=0.69.1
ENV GRYPE_VERSION=0.84.0
ENV ACTIONLINT_VERSION=1.7.4
ENV HADOLINT_VERSION=2.12.0
ENV SEMGREP_VERSION=1.153.1

# Base packages + Node.js (required by actions/checkout)
RUN apt-get update && apt-get install -y --no-install-recommends \
        ca-certificates \
        curl \
        gnupg \
        python3 \
        python3-pip \
    && curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \
    && apt-get install -y --no-install-recommends nodejs \
    && rm -rf /var/lib/apt/lists/*

# Python security tools
RUN pip3 install --no-cache-dir --break-system-packages \
    semgrep==${SEMGREP_VERSION} \
    checkov \
    yamllint

# gitleaks — secret detection
RUN curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
    | tar -xz -C /usr/local/bin gitleaks

# trufflehog — secret detection (entropy + pattern matching)
RUN curl -sSL "https://github.com/trufflesecurity/trufflehog/releases/download/v${TRUFFLEHOG_VERSION}/trufflehog_${TRUFFLEHOG_VERSION}_linux_amd64.tar.gz" \
    | tar -xz -C /usr/local/bin trufflehog

# trivy — vulnerability scanning (NVD/GHSA, supports client/server mode for DB caching)
RUN curl -sSL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" \
    | tar -xz -C /usr/local/bin trivy

# grype — vulnerability scanning (Anchore DB, alternative to trivy)
RUN curl -sSL "https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_linux_amd64.tar.gz" \
    | tar -xz -C /usr/local/bin grype

# actionlint — GitHub/Gitea Actions workflow linting
RUN curl -sSL "https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}/actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz" \
    | tar -xz -C /usr/local/bin actionlint

# hadolint — Dockerfile best practices
RUN curl -sSL "https://github.com/hadolint/hadolint/releases/download/v${HADOLINT_VERSION}/hadolint-Linux-x86_64" \
    -o /usr/local/bin/hadolint \
    && chmod +x /usr/local/bin/hadolint
