Merge pull request #4929 from jaredb96/dockerhub-cve-scan

Dockerhub CVE scan

.github/workflows/dockerhub-push.yml

@@ -31,8 +31,22 @@ jobs:
       - name: Push image to Docker Hub
         run: docker push ${{ secrets.DOCKERHUB_USERNAME }}/hmda:latest
 
-      - name: Check image for CVEs
+      - name: Run Docker Scout CVE scan
+        if: ${{ github.event_name != 'pull_request_target' }}
         uses: docker/scout-action@v1
         with:
           command: cves
-          image: ${{ secrets.DOCKERHUB_USERNAME }}/hmda:latest
+          image: ${{ secrets.DOCKERHUB_USERNAME }}/hmda:latest
+          sarif-file: sarif.output.json
+          summary: true
+
+      - name: Upload CVE scan to artifact
+        if: ${{ github.event_name != 'pull_request_target' }}
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: sarif.output.json
+
+      - name: Post comment with report link
+        uses: thollander/actions-comment-pull-request@v3
+        with:
+          message: CVE scan report generated by Docker Scout are available. Check the Actions tab to download the report.