# dockerfiles/Dockerfile.quality-tools
FROM debian:bookworm-slim

ARG SONAR_SCANNER_VERSION=8.0.1.6346
ARG TRIVY_VERSION=0.70.0

SHELL ["/bin/bash", "-o", "pipefail", "-c"]

RUN apt-get update \
  && apt-get install -y --no-install-recommends \
    bash \
    ca-certificates \
    curl \
    git \
    jq \
    unzip \
  && rm -rf /var/lib/apt/lists/*

RUN set -eux; \
  scanner_zip="sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux-aarch64.zip"; \
  base_url="https://binaries.sonarsource.com/Distribution/sonar-scanner-cli"; \
  curl -fsSL "${base_url}/${scanner_zip}" -o "/tmp/${scanner_zip}"; \
  curl -fsSL "${base_url}/${scanner_zip}.sha256" -o "/tmp/${scanner_zip}.sha256"; \
  printf '%s  %s\n' "$(cat "/tmp/${scanner_zip}.sha256")" "/tmp/${scanner_zip}" | sha256sum -c -; \
  unzip -q "/tmp/${scanner_zip}" -d /opt; \
  ln -s "/opt/sonar-scanner-${SONAR_SCANNER_VERSION}-linux-aarch64/bin/sonar-scanner" /usr/local/bin/sonar-scanner; \
  rm -f "/tmp/${scanner_zip}" "/tmp/${scanner_zip}.sha256"

RUN set -eux; \
  trivy_tgz="trivy_${TRIVY_VERSION}_Linux-ARM64.tar.gz"; \
  curl -fsSL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/${trivy_tgz}" -o "/tmp/${trivy_tgz}"; \
  tar -C /usr/local/bin -xzf "/tmp/${trivy_tgz}" trivy; \
  rm -f "/tmp/${trivy_tgz}"; \
  trivy --version; \
  sonar-scanner -v

WORKDIR /workspace