Migrate from Trivy to Docker scout

.github/workflows/docker-scan.yml

@@ -22,6 +22,7 @@ permissions:
   contents: read
   actions: read
   security-events: write
+  pull-requests: write  # Required for Docker Scout PR comments
 
 jobs:
   scan:
@@ -47,30 +48,28 @@ jobs:
           # Disable GitHub Actions cache for this workflow
           no-cache: true
 
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.28.0
+      - name: Docker Scout vulnerability scan
+        uses: docker/scout-action@v1
         with:
-          image-ref: gitea-mirror:scan
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          exit-code: '1'
-          ignore-unfixed: false
-          vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
+          command: cves
+          image: gitea-mirror:scan
+          sarif-file: scout-results.sarif
+          summary: true
+          exit-code: true
+          only-severities: critical,high
+          write-comment: true
 
-      - name: Upload Trivy scan results to GitHub Security tab
+      - name: Upload Docker Scout scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3
         if: always()
         with:
-          sarif_file: 'trivy-results.sarif'
+          sarif_file: scout-results.sarif
 
-      - name: Run Trivy vulnerability scanner (table output)
-        uses: aquasecurity/trivy-action@0.28.0
-        if: failure()
+      - name: Docker Scout policy evaluation
+        uses: docker/scout-action@v1
+        if: always()
         with:
-          image-ref: gitea-mirror:scan
-          format: 'table'
-          exit-code: '0'
-          ignore-unfixed: false
-          vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
+          command: policy
+          image: gitea-mirror:scan
+          exit-code: false
+          write-comment: true