Description
It would be very convenient to have Docker Scout embedded, as optional, in this reusable workflow.
For example, one of the common use case is to scan CVEs and upload the SARIF outputs to GitHub Security panel.
Different other options would be very beneficial too:
org --> to evaluate policiesquickview action and optionally write summary as a PR commentcompare action with another image and optionally write the comparison table as a PR comment
Note: we could have another job doing that, but for example in a PR, if we do push: false but still want to use Docker Scout, it's very complex to have this in place, as an end user.
Description
It would be very convenient to have Docker Scout embedded, as optional, in this reusable workflow.
For example, one of the common use case is to scan CVEs and upload the SARIF outputs to GitHub Security panel.
Different other options would be very beneficial too:
org--> to evaluate policiesquickviewaction and optionally write summary as a PR commentcompareaction with another image and optionally write the comparison table as a PR commentmainfor example), because maybe there is no associated container image yet (not yet released), but still needs to be compare with the current branch/PR. Example here: https://github.com/mathieu-benoit/sail-sharp/blob/main/.github/workflows/open-pr.yml#L9-L80.Note: we could have another job doing that, but for example in a PR, if we do
push: falsebut still want to use Docker Scout, it's very complex to have this in place, as an end user.