image: alpine:latest

clone:
  enabled: false

definitions:
  caches:
    ...
    sonar: ~/.sonar/cache
  services:
    docker:
      memory: 2048
  steps:
    - step: &dummy
        ...
    - step: &test_syntaxcheck
        ...
    - step: &test_codesniffer
        ...
    - step: &test_unit
        ...
    - step: &test_psalm
        ...
    - step: &vuln_scan
        name: "Vulnerability scan [CUSTOM]"
        clone:
          enabled: true
          depth: full
        image:
          name: "public.ecr.aws/americor-pub/app-php-at:latest"
        caches:
          - composer-custom
          - sonar
        script:
          - mkdir -m 0700 -p ~/.ssh; umask 077
          - |
            if [ -n $SSH_CI_PRIV_KEY ]; then echo $SSH_CI_PRIV_KEY | base64 -d > ~/.ssh/id_ed25519; \
              printf 'IdentityFile ~/.ssh/id_ed25519\nServerAliveInterval 180\nStrictHostKeyChecking=no\n' > \
              ~/.ssh/config; fi
          - cd $BITBUCKET_CLONE_DIR && php ./composer.phar install && chmod -R 777 .
          - pipe: sonarsource/sonarcloud-scan:1.4.0
            variables:
              EXTRA_ARGS: $CI_CUSTOM_SCAN_EXTRA_ARGS
              DEBUG: $CI_CUSTOM_SCAN_DEBUG
              SONAR_SCANNER_OPTS: $CI_CUSTOM_SCAN_OPTS
          - pipe: sonarsource/sonarcloud-quality-gate:0.1.6
    - step: &deploy
        ...
    - step: &analyze-migrations
        ...
pipelines:
  custom:
    custom-scan:
      - step:
          <<: *vuln_scan
  branches:
    ...
  pull-requests:
    ...