#!/usr/bin/env bash
set -euo pipefail

# Lightweight OWASP ZAP baseline scan.
# Usage: TARGET=https://test.lomavuokraus.fi ./scripts/zap-baseline.sh

TARGET="${TARGET:-https://test.lomavuokraus.fi}"
# Defaults to GHCR image; override with ZAP_IMAGE if needed (e.g. zaproxy/zap-stable)
ZAP_IMAGE="${ZAP_IMAGE:-ghcr.io/zaproxy/zaproxy:stable}"
REPORT_DIR="${REPORT_DIR:-reports/security}"
TIMEOUT_MINUTES="${TIMEOUT_MINUTES:-5}"

mkdir -p "$REPORT_DIR"

echo "Running ZAP baseline against $TARGET (timeout ${TIMEOUT_MINUTES}m)..."
docker run --rm \
  -u "$(id -u)":"$(id -g)" \
  -e HOME=/zap/wrk \
  -v "$PWD/$REPORT_DIR":/zap/wrk \
  -w /zap/wrk \
  -e HOME=/zap/wrk \
  "$ZAP_IMAGE" zap-baseline.py \
  -t "$TARGET" \
  -x zap-report.xml \
  -r zap-report.html \
  -J zap-report.json \
  -I \
  -m "$TIMEOUT_MINUTES"

echo "Reports written to $REPORT_DIR (zap-report.html, zap-report.xml, zap-report.json)"