Analyze the final docker image

.github/workflows/ci.yml

@@ -50,9 +50,8 @@ jobs:
     permissions:
       contents: read
       packages: write
-      # This is used to complete the identity challenge
-      # with sigstore/fulcio when running outside of PRs.
       id-token: write
+      security-events: write
 
     steps:
       - name: Checkout repository
@@ -103,6 +102,31 @@ jobs:
             annotation.org.opencontainers.image.vendor="Defensive Lab Agency"
             annotation.org.opencontainers.image.licenses="GPL-3.0"
             annotation.org.opencontainers.image.revision="${{ github.sha }}"
+      
+      - name: Log into Docker Hub
+        uses: docker/[email protected]
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Docker Scout
+        id: docker-scout
+        uses: docker/scout-action@v1
+        with:
+          command: cves,sbom
+          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.DOCKER_METADATA_OUTPUT_VERSION }}
+          sarif-file: sarif.output.json
+          summary: true
+          only-severities: critical,high
+          write-comment: true
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload SARIF result
+        id: upload-sarif
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: sarif.output.json
 
   build-deployment-package:
     if: github.event_name == 'push' && github.repository_owner == 'PiRogueToolSuite'