chore try docker scout

.github/workflows/docker-scan.yml

@@ -20,17 +20,22 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+      - name: Analyze for critical and high CVEs
+        id: docker-scout-cves
+        if: ${{ github.event_name != 'pull_request_target' }}
+        uses: docker/scout-action@v1
         with:
-          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee:main
-          format: "sarif"
-          # output: "trivy-results.sarif"
-          severity: "CRITICAL,HIGH"
-          scanners: "vuln"
-          limit-severities-for-sarif: true
-          output: "trivy-results.sarif"
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+          command: cves
+          only-severities: critical,high
+          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-ee:main
+          sarif-file: sarif.output.json
+          summary: true
+          dockerhub-user: windmilllabs
+          dockerhub-password: ${{ secrets.DOCKER_PAT }}
+
+      - name: Upload SARIF result
+        id: upload-sarif
+        if: ${{ github.event_name != 'pull_request_target' }}
+        uses: github/codeql-action/upload-sarif@v2
         with:
-          sarif_file: "trivy-results.sarif"
+          sarif_file: sarif.output.json