#!/usr/bin/env bash
set -euo pipefail

# DEVOPS-EXPORT-36-001: Trivy compatibility & signing checks

IMAGE=${IMAGE:-"ghcr.io/stella-ops/exporter:edge"}
OUT="out/export-compat"
mkdir -p "$OUT"

echo "[export-compat] pulling image $IMAGE"
docker pull "$IMAGE"

echo "[export-compat] running trivy image --severity HIGH,CRITICAL"
trivy image --severity HIGH,CRITICAL --quiet "$IMAGE" > "$OUT/trivy.txt" || true

echo "[export-compat] verifying cosign signature if present"
if command -v cosign >/dev/null 2>&1; then
  cosign verify "$IMAGE" > "$OUT/cosign.txt" || true
fi

echo "[export-compat] trivy module db import smoke"
trivy module db import --file "$OUT/trivy-module.db" 2>/dev/null || true

echo "[export-compat] done; outputs in $OUT"