Create scout-repo-scan.yaml

Author: borislavr

.github/workflows/scout-repo-scan.yaml

@@ -0,0 +1,40 @@
+name: Scout repository scan
+on:
+  workflow_dispatch: {}
+  schedule:
+  # Runs every Monday at 00:00 UTC
+    - cron: '0 0 * * 1'
+permissions:
+  contents: read
+jobs:
+  scout_repo_scan:
+    if: github.actor != 'dependabot[bot]'
+    permissions:
+      contents: read
+      security-events: write
+      pull-requests: write
+
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout Repository
+      uses: actions/checkout@v4
+
+    - name: Analyze for critical and high CVEs
+      id: docker-scout-cves
+      if: ${{ github.event_name != 'pull_request_target' }}
+      uses: docker/scout-action@v1
+      continue-on-error: true
+      with:
+        command: cves
+        image: fs://../${{ github.event.repository.name }}
+        sarif-file: sarif.output.json
+        summary: true
+        ignore-base: true
+        dockerhub-user: ${{ secrets.DOCKERHUB_USER }}
+        dockerhub-password: ${{ secrets.DOCKERHUB_RW_TOKEN }}
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Upload SARIF result
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: sarif.output.json