From 32c38572abefbc47089968bd4af4bb560f846657 Mon Sep 17 00:00:00 2001
From: Robert Waffen <rwaffen@gmail.com>
Date: Wed, 31 Jul 2024 14:57:59 +0200
Subject: [PATCH 1/3] switch from trivy to docker scout

Signed-off-by: Robert Waffen <rwaffen@gmail.com>
---
 .github/workflows/ci.yaml | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 4e602b3..f8b2b1b 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -52,18 +52,20 @@ jobs:
             RUBYGEM_OVERCOMMIT=${{ matrix.rubygem_overcommit }}
             RUBYGEM_MODULESYNC=${{ matrix.rubygem_modulesync }}
 
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+      - name: Analyze for critical and high CVEs
+        id: docker-scout-cves
+        uses: docker/scout-action@v1
         with:
-          image-ref: 'ci/voxbox-${{ matrix.rubygem_puppet }}:${{ github.sha }}'
-          format: 'sarif'
-          output: 'trivy-results-${{ matrix.rubygem_puppet }}.sarif'
-          severity: 'CRITICAL,HIGH'
+          command: cves
+          image: 'local://ci/voxbox-${{ matrix.rubygem_puppet }}:${{ github.sha }}'
+          sarif-file: sarif.output.${{ matrix.rubygem_puppet }}.${{ github.sha }}.json
+          summary: true
 
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+      - name: Upload SARIF result
+        id: upload-sarif
+        uses: github/codeql-action/upload-sarif@v2
         with:
-          sarif_file: 'trivy-results-${{ matrix.rubygem_puppet }}.sarif'
+          sarif_file: sarif.output.${{ matrix.rubygem_puppet }}.${{ github.sha }}.json
 
       - name: Clone voxpupuli/puppet-example repository
         uses: actions/checkout@v4

From ee9099248ebd20e3ec059b44c052ee02c76e051a Mon Sep 17 00:00:00 2001
From: Robert Waffen <rwaffen@gmail.com>
Date: Wed, 31 Jul 2024 15:05:15 +0200
Subject: [PATCH 2/3] login to docker to do scout cve scan

Signed-off-by: Robert Waffen <rwaffen@gmail.com>
---
 .github/workflows/ci.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index f8b2b1b..b80ca73 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -52,6 +52,12 @@ jobs:
             RUBYGEM_OVERCOMMIT=${{ matrix.rubygem_overcommit }}
             RUBYGEM_MODULESYNC=${{ matrix.rubygem_modulesync }}
 
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: voxpupulibot
+          password: ${{ secrets.DOCKERHUB_BOT_PASSWORD }}
+
       - name: Analyze for critical and high CVEs
         id: docker-scout-cves
         uses: docker/scout-action@v1

From 5b119c3e7216518934b542f8ff5ebc7bbeba21f6 Mon Sep 17 00:00:00 2001
From: Robert Waffen <rwaffen@gmail.com>
Date: Wed, 31 Jul 2024 15:14:56 +0200
Subject: [PATCH 3/3] add write prermissions to prs

Signed-off-by: Robert Waffen <rwaffen@gmail.com>
---
 .github/workflows/ci.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index b80ca73..6c7d5d0 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -29,6 +29,7 @@ jobs:
       actions: read
       contents: read
       security-events: write
+      pull-requests: write
     needs: setup-matrix
     strategy:
       matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }}