From a913f34fc88a803bf1d94284304ab1bda18c2c49 Mon Sep 17 00:00:00 2001
From: Florian Hotze <florianh_dev@icloud.com>
Date: Wed, 13 Mar 2024 09:53:14 +0100
Subject: [PATCH 1/5] Add Docker scout to GitHub action

---
 .../workflows/{docker-publish.yml => docker.yml}   | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 rename .github/workflows/{docker-publish.yml => docker.yml} (86%)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker.yml
similarity index 86%
rename from .github/workflows/docker-publish.yml
rename to .github/workflows/docker.yml
index 5a9e972..a17181a 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker.yml
@@ -97,3 +97,17 @@ jobs:
         # This step uses the identity token to provision an ephemeral certificate
         # against the sigstore community Fulcio instance.
         run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
+
+      # Use Docker Scout to analyze security vulnerabilities
+      - name: Docker Scout
+        id: docker-scout
+        if: ${{ github.event_name == 'pull_request' }}
+        uses: docker/scout-action@v1
+        with:
+          command: compare
+          image: ${{ steps.meta.outputs.tags }}
+          to: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.COMPARE_TAG }}
+          ignore-unchanged: true
+          only-severities: critical,high
+          write-comment: true
+          github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment

From fe1bab14edd850ad07431083d65308321e10d26b Mon Sep 17 00:00:00 2001
From: Florian Hotze <florianh_dev@icloud.com>
Date: Wed, 13 Mar 2024 10:04:09 +0100
Subject: [PATCH 2/5] Update docker.yml

---
 .github/workflows/docker.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index a17181a..2eedacc 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -13,11 +13,12 @@ on:
     branches: [ "main" ]
 
 env:
-  # Use docker.io for Docker Hub if empty
   REGISTRY: ghcr.io
   # github.repository as <account>/<repo>
   IMAGE_NAME: ${{ github.repository }}
-
+  SHA: ${{ github.event.pull_request.head.sha || github.event.after }}
+  # Use `main` as the tag to compare to if empty, assuming that it's already pushed
+  COMPARE_TAG: main
 
 jobs:
   build:

From 6f7e697ab0f73f8e6c9fce528373a51f1ac52498 Mon Sep 17 00:00:00 2001
From: Florian Hotze <florianh_dev@icloud.com>
Date: Wed, 13 Mar 2024 10:15:07 +0100
Subject: [PATCH 3/5] Update docker.yml

---
 .github/workflows/docker.yml | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 2eedacc..6239b92 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -1,10 +1,5 @@
 name: Docker
 
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-
 on:
   push:
     tags: [ 'v*.*.*' ] # Publishes with latest tag.
@@ -17,7 +12,6 @@ env:
   # github.repository as <account>/<repo>
   IMAGE_NAME: ${{ github.repository }}
   SHA: ${{ github.event.pull_request.head.sha || github.event.after }}
-  # Use `main` as the tag to compare to if empty, assuming that it's already pushed
   COMPARE_TAG: main
 
 jobs:
@@ -100,11 +94,14 @@ jobs:
         run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
 
       # Use Docker Scout to analyze security vulnerabilities
+      # https://github.com/docker/scout-action
       - name: Docker Scout
         id: docker-scout
         if: ${{ github.event_name == 'pull_request' }}
         uses: docker/scout-action@v1
         with:
+          dockerhub-user: ${{ secrets.DOCKER_USER }}
+          dockerhub-password: ${{ secrets.DOCKER_PAT }}
           command: compare
           image: ${{ steps.meta.outputs.tags }}
           to: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.COMPARE_TAG }}

From 720e5779a9645ba816f1e72756ef5e377d67e34e Mon Sep 17 00:00:00 2001
From: Florian Hotze <florianh_dev@icloud.com>
Date: Wed, 13 Mar 2024 10:18:35 +0100
Subject: [PATCH 4/5] Update docker.yml

---
 .github/workflows/docker.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 6239b92..edb764a 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -14,6 +14,9 @@ env:
   SHA: ${{ github.event.pull_request.head.sha || github.event.after }}
   COMPARE_TAG: main
 
+permissions:
+  pull-requests: write
+
 jobs:
   build:
 

From 40b5c0c0e83eb927ab2c2c4f853ce106c23bd556 Mon Sep 17 00:00:00 2001
From: Florian Hotze <florianh_dev@icloud.com>
Date: Wed, 13 Mar 2024 10:24:39 +0100
Subject: [PATCH 5/5] Update docker.yml

---
 .github/workflows/docker.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index edb764a..8305d3f 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -14,9 +14,6 @@ env:
   SHA: ${{ github.event.pull_request.head.sha || github.event.after }}
   COMPARE_TAG: main
 
-permissions:
-  pull-requests: write
-
 jobs:
   build:
 
@@ -24,6 +21,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      pull-requests: write
       # This is used to complete the identity challenge
       # with sigstore/fulcio when running outside of PRs.
       id-token: write