#!/bin/bash
set -e

echo "=== Security Scan ==="

# Check for security tools
command -v pip-audit >/dev/null 2>&1 || pip install pip-audit -q
command -v bandit >/dev/null 2>&1 || pip install bandit -q

echo "Scanning Python dependencies..."
pip-audit -r lambda/requirements.txt --format=markdown > security_report.md 2>&1 || true
if grep -q "No vulnerabilities found" security_report.md; then
    echo "✓ Dependencies clean"
else
    echo "⚠ Vulnerabilities found - see security_report.md"
    cat security_report.md
fi

echo "Scanning Python code..."
bandit -r lambda/lambda_function.py -f custom -o bandit_report.txt 2>&1 || true
if [ -s bandit_report.txt ]; then
    echo "⚠ Code issues found - see bandit_report.txt"
    cat bandit_report.txt
else
    echo "✓ Code scan clean"
fi

echo "Validating Terraform..."
cd terraform
terraform init -backend=false -input=false >/dev/null
terraform validate
if [ $? -eq 0 ]; then
    echo "✓ Terraform valid"
else
    echo "✗ Terraform validation failed"
    exit 1
fi

echo "=== Security Scan Complete ==="