pipeline{
    agent { label 'ubuntu-agent' }

    stages {
        stage('Dependency Security Scan') {
            agent {
                docker {
                    image 'python:3.13-slim'
                    // Ensure the container has the right permissions to see the workspace
                    args '-u root:root --entrypoint=""'
                    reuseNode true 
                }
            }
            environment {
                SAFETY_API_KEY = credentials('SafetyAPIKey')
            }
            steps {
                // This echo confirms we are actually INSIDE the step
                echo "Starting Safety Scan..." 
                sh '\
                    set -x \
                    # Check if uv is already there, otherwise install \
                    pip install uv safety --quiet \
                    # Export and scan \
                    uv export --format requirements-txt > exported-requirements.txt \
                    # Use check instead of scan (check is the standard command for requirements files) \
                    safety check --key $SAFETY_API_KEY -r exported-requirements.txt --full-report '
            }
        }
        stage('Vulnerability Scan (Grype)') {
            // We use the node's shell instead of a Docker agent
            steps {
                script {
                    // This command runs the container once, performs the scan, and disappears
                    sh "docker run --rm -v /home/jenkins/jenkins_agent/workspace/Python-Project-Generator -w /src anchore/grype:latest . --fail-on high"
                }
            }
        }
        stage('Unit Tests & Coverage') {
            agent {
                docker {
                    image 'python:3.13-slim'
                    args '-u root --entrypoint=""'
                    reuseNode true 
                }
            }
            steps {
                sh '\
                # Install uv \
                pip install uv \
                # Sync the environment (installs your app + pytest + pytest-cov) \
                uv sync \
                # Run the tests and generate the coverage.xml file \
                uv run pytest --cov=. --cov-report=xml '
            }
        }
        stage('SonarQube SAST Analysis') {
            agent {
                docker {
                    image 'sonarsource/sonar-scanner-cli:latest'
                    args '-u root --entrypoint=""'
                    reuseNode true 
                }
            }
            steps {
                // Ensure 'SonarQube' exactly matches the name in your Jenkins System configuration
                withSonarQubeEnv('SonarQube') {
                    sh '\
                    sonar-scanner                       -Dsonar.projectKey=woocommerce_api                       -Dsonar.projectName=woocommerce_api                       -Dsonar.sources=.                       -Dsonar.python.coverage.reportPaths=coverage.xml'
                }
            }
        } 
        stage('Quality Gate Check') {
            steps {
                // Prevent the pipeline from hanging forever if the webhook fails to arrive
                timeout(time: 15, unit: 'MINUTES') {
                    // This pauses the pipeline. abortPipeline: true means it fails the build if code quality is bad!
                    waitForQualityGate abortPipeline: true
                }
            }
        }
    }
}
