#!/bin/bash
# Pre-push hook that runs security scans (brakeman + bundler-audit)

echo "Running security scans..."
echo ""

# Run brakeman
echo "🔍 Running brakeman..."
bundle exec brakeman --no-pager --quiet

BRAKEMAN_EXIT=$?

if [ $BRAKEMAN_EXIT -ne 0 ]; then
  echo ""
  echo "❌ Brakeman found security issues."
  echo "   Run 'bundle exec brakeman' for detailed output."
  echo ""
fi

# Run bundler-audit
echo "🔍 Running bundler-audit..."
bundle exec bundler-audit check --update

BUNDLER_AUDIT_EXIT=$?

if [ $BUNDLER_AUDIT_EXIT -ne 0 ]; then
  echo ""
  echo "❌ Bundler-audit found vulnerable dependencies."
  echo "   Run 'bundle exec bundler-audit check' for detailed output."
  echo ""
fi

# If either scan failed, prevent push
if [ $BRAKEMAN_EXIT -ne 0 ] || [ $BUNDLER_AUDIT_EXIT -ne 0 ]; then
  echo "❌ Security scans failed. Please fix the issues before pushing."
  echo "   To skip this hook, use 'git push --no-verify'"
  exit 1
fi

echo ""
echo "✅ All security scans passed!"
exit 0