---
- name: Docker Image Security Scan mit Trivy
  hosts: docker_nodes
  become: yes
  tasks:
    - name: Sicherstellen, dass Trivy installiert ist (Ubuntu)
      ansible.builtin.shell: |
        if ! command -v trivy &> /dev/null; then
          apt-get install -y wget apt-transport-https gnupg lsb-release
          wget -qO - https://aquasecurity.github.io/trivy-repo/dabest.gpg | gpg --dearmor -o /usr/share/keyrings/trivy.gpg
          echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | tee -a /etc/apt/sources.list.d/trivy.list
          apt-get update
          apt-get install -y trivy
        fi
      args:
        executable: /bin/bash

    - name: Scan eines Test-Images (nginx:latest)
      ansible.builtin.command:
        cmd: trivy image --format json --output /tmp/scan_result.json nginx:latest
      register: scan_output

    - name: Zeige Scan-Zusammenfassung im Log
      ansible.builtin.command:
        cmd: trivy image --severity HIGH,CRITICAL nginx:latest
      register: trivy_summary

    - name: Ergebnis ausgeben
      ansible.builtin.debug:
        msg: "{{ trivy_summary.stdout_lines }}"