switch from trivy to docker scout

Signed-off-by: Robert Waffen <[email protected]>

Author: rwaffen

.github/workflows/ci.yaml

@@ -52,18 +52,20 @@ jobs:
             RUBYGEM_OVERCOMMIT=${{ matrix.rubygem_overcommit }}
             RUBYGEM_MODULESYNC=${{ matrix.rubygem_modulesync }}
 
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+      - name: Analyze for critical and high CVEs
+        id: docker-scout-cves
+        uses: docker/scout-action@v1
         with:
-          image-ref: 'ci/voxbox-${{ matrix.rubygem_puppet }}:${{ github.sha }}'
-          format: 'sarif'
-          output: 'trivy-results-${{ matrix.rubygem_puppet }}.sarif'
-          severity: 'CRITICAL,HIGH'
+          command: cves
+          image: 'local://ci/voxbox-${{ matrix.rubygem_puppet }}:${{ github.sha }}'
+          sarif-file: sarif.output.${{ matrix.rubygem_puppet }}.${{ github.sha }}.json
+          summary: true
 
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+      - name: Upload SARIF result
+        id: upload-sarif
+        uses: github/codeql-action/upload-sarif@v2
         with:
-          sarif_file: 'trivy-results-${{ matrix.rubygem_puppet }}.sarif'
+          sarif_file: sarif.output.${{ matrix.rubygem_puppet }}.${{ github.sha }}.json
 
       - name: Clone voxpupuli/puppet-example repository
         uses: actions/checkout@v4