feat(ci): add dynamic Docker Scout security scanning

[alvinveroy]

Description

This pull request introduces a robust security scanning process using Docker Scout and enhances project transparency by displaying the results directly in the README.md.

Key Changes:

1. PR Security Scan (docker-scout-scan.yml):

   • A new GitHub Actions workflow that automatically scans Docker images for vulnerabilities on every pull request to main.
   • The workflow will fail if new critical or high severity vulnerabilities are introduced compared to the latest image on the main branch.
   • Results are uploaded as SARIF files, integrating with the GitHub Security tab.
   • Includes a workflow_dispatch trigger, allowing the scan to be run manually on any branch.

2. Dynamic README Badge (update-readme-scout.yml):

   • A second new workflow that triggers on every push to the main branch.
   • It scans the latest Docker image and automatically updates a new "Security" section in the README.md with the latest vulnerability report.
   • This provides immediate and public visibility into the security posture of the main branch.

3. README.md Update:

   • A new "Security" section has been added to display the Docker Scout scan results.

New Secrets Required:

To enable these workflows, the following secrets must be configured in the repository settings under Settings > Secrets and variables > Actions:

• DOCKER_USER: Your Docker Hub username.
• DOCKER_PAT: A Docker Hub Personal Access Token.
• REPO_PAT: A GitHub Personal Access Token with repo scope, required for the update-readme-scout.yml workflow to commit changes to the README.md.

Related Issue

None.

How to Test

Testing the PR Security Scan

1. From this PR: The "Docker Scout PR Security Scan" workflow should already be running in the "Checks" tab of this pull request. You can inspect the results there.
2. Manually:
   • Go to the Actions tab.
   • Select the Docker Scout PR Security Scan workflow.
   • Click Run workflow, choose the ci/add-docker-scout-scan branch, and run it.

Testing the Dynamic README Update

This workflow can only be fully tested after this PR is merged.

1. Merge this PR into the main branch.
2. Wait for the docker-build-and-publish.yml workflow to complete on the main branch. This will build and push the :latest image that the README updater needs to scan.
3. Go to the Actions tab and observe the Update README with Docker Scout Results workflow. It will trigger automatically after the push to main.
4. Verify the README.md: Once the workflow completes, check the README.md file on the main branch. The "Security" section should be updated with the latest scan results.