Add Docker Scout scanning to CI workflow

.github/workflows/ci.yml

@@ -7,6 +7,9 @@ on:
       - master
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     runs-on: ubuntu-latest
@@ -39,6 +42,51 @@ jobs:
       - name: Build API Gateway image
         run: docker build -t api-gateway ./api-gateway
 
+  docker-scout:
+    needs: build-and-test
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    strategy:
+      matrix:
+        include:
+          - service: auth
+            context: ./auth
+            image: auth-service
+          - service: product
+            context: ./product
+            image: product-service
+          - service: order
+            context: ./order
+            image: order-service
+          - service: api-gateway
+            context: ./api-gateway
+            image: api-gateway
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build ${{ matrix.service }} service image
+        run: docker build -t ${{ matrix.image }}:scout ${{ matrix.context }}
+
+      - name: Analyze ${{ matrix.service }} image with Docker Scout
+        uses: docker/scout-action@v1
+        with:
+          command: cves
+          image: ${{ matrix.image }}:scout
+          sarif-file: ${{ matrix.image }}-docker-scout.sarif
+          exit-code: false
+          accept-license: true
+
+      - name: Upload Docker Scout results
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ matrix.image }}-docker-scout.sarif
+
   push-docker-images:
     needs: build-and-test
     if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master')