ci: replace Trivy with Docker Scout for image scanning (#614)

## Summary
- Replace `aquasecurity/trivy-action` with `docker/scout-action` (v1,
pinned to SHA) across all 3 security scan workflows (CI, daily alpine,
daily distroless)
- Motivated by recent security incidents with Trivy as a vendor; Docker
Scout is from Docker Inc., an existing vendor relationship
- Added Docker Hub authentication via `release-secrets` (required for
Scout API access)
- Also pinned pre-existing `docker/setup-qemu-action` and
`docker/setup-buildx-action` to commit SHAs in CI

## Test plan
- [ ] Verify the CI `security-scan` job runs successfully on this PR
- [ ] Confirm Docker Scout correctly identifies CVEs in the built images
- [ ] Manually trigger daily scan workflows after merge to verify they
work with published images
- [ ] Verify `release-secrets` AWS role assumption works in the
security-scan job context

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Matthew M. Keeler <mkeeler@launchdarkly.com>
Co-authored-by: Matthew M. Keeler <keelerm84@gmail.com>

Author: 3 people

.github/workflows/ci.yml

@@ -1,13 +1,13 @@
 name: CI
 on:
   push:
-    branches: [ 'v8' ]
+    branches: ["v8"]
     paths-ignore:
-      - '**.md' # Don't run CI on markdown changes.
+      - "**.md" # Don't run CI on markdown changes.
   pull_request:
-    branches: [ 'v8', 'feat/**' ]
+    branches: ["v8", "feat/**"]
     paths-ignore:
-      - '**.md'
+      - "**.md"
 
 jobs:
   go-versions:
@@ -51,65 +51,69 @@ jobs:
       id-token: write
       contents: read
     with:
-      environment: 'staging'
+      environment: "staging"
       go-version: ${{ needs.go-versions.outputs.latest }}
 
-
   security-scan:
     needs: go-versions
     runs-on: ubuntu-latest
-    name: "Trivy Scan of Docker Image"
-    env:
-      # Avoid rate-limiting on ghcr.io (https://github.com/aquasecurity/trivy-action/issues/389)
-      TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+    name: "Docker Scout Scan"
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          fetch-tags: 'true'
+          fetch-tags: "true"
       - name: Setup Go ${{ inputs.go-version }}
         uses: actions/setup-go@v5
         with:
           go-version: ${{ needs.go-versions.outputs.latest }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
         with:
           platforms: linux/amd64,linux/arm64/v8,linux/arm/v7,linux/386
       - name: Build Docker Images
         run: make products-for-release
       - name: Get current Relay version
         id: image-tag
-        run:
-          echo "value=$(jq -r '.version' < dist/metadata.json)" >> $GITHUB_OUTPUT
-      - uses: aquasecurity/trivy-action@master
+        run: echo "value=$(jq -r '.version' < dist/metadata.json)" >> $GITHUB_OUTPUT
+      - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        with:
+          username: ${{ vars.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_RO_TOKEN }}
+      - uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2
         id: scan-alpine
         continue-on-error: true
         with:
+          command: cves
           # Using an explicit tag rather than ld-relay:latest to ensure we're scanning the local image that we just built.
           # It's not clear why, but it seems goreleaser doesn't create the :latest tag when skipping the publish step
           # as we do for CI, so the scan will end up checking the public image instead of the one we just built.
-          image-ref: launchdarkly/ld-relay:${{ steps.image-tag.outputs.value }}-amd64
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-      - uses: aquasecurity/trivy-action@master
+          image: local://launchdarkly/ld-relay:${{ steps.image-tag.outputs.value }}-amd64
+          exit-code: true
+          only-fixed: true
+          write-comment: false
+      - uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2
         id: scan-distroless
         continue-on-error: true
         with:
-          image-ref: launchdarkly/ld-relay:${{ steps.image-tag.outputs.value }}-static-debian12-nonroot-amd64
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-      - uses: aquasecurity/trivy-action@master
+          command: cves
+          image: local://launchdarkly/ld-relay:${{ steps.image-tag.outputs.value }}-static-debian12-nonroot-amd64
+          exit-code: true
+          only-fixed: true
+          write-comment: false
+      - uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2
         continue-on-error: true
         id: scan-debug-distroless
         with:
-          image-ref: launchdarkly/ld-relay:${{ steps.image-tag.outputs.value }}-static-debian12-debug-nonroot-amd64
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
+          command: cves
+          image: local://launchdarkly/ld-relay:${{ steps.image-tag.outputs.value }}-static-debian12-debug-nonroot-amd64
+          exit-code: true
+          only-fixed: true
+          write-comment: false
       - name: Fail if any of scan-alpine, scan-distroless, or scan-distroless-debug failed
         if: ${{ steps.scan-alpine.outcome != 'success' || steps.scan-distroless.outcome != 'success' || steps.scan-debug-distroless.outcome != 'success' }}
         run: exit 1

.github/workflows/daily-security-scan-alpine.yml

@@ -11,14 +11,17 @@ jobs:
         tag: ['latest', 'latest-alpine', 'v8', 'v8-alpine']
       fail-fast: false
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: aquasecurity/trivy-action@master
-        env:
-          # Avoid rate-limiting on ghcr.io (https://github.com/aquasecurity/trivy-action/issues/389)
-          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+      - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
-          image-ref: launchdarkly/ld-relay:${{ matrix.tag }}
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
+          username: ${{ vars.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_RO_TOKEN }}
+      - uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2
+        with:
+          command: cves
+          image: launchdarkly/ld-relay:${{ matrix.tag }}
+          exit-code: true
+          only-fixed: true
+          write-comment: false

.github/workflows/daily-security-scan-distroless.yml

@@ -11,14 +11,17 @@ jobs:
         tag: ['latest-static-debian12-nonroot', 'v8-static-debian12-debug-nonroot']
       fail-fast: false
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: aquasecurity/trivy-action@master
-        env:
-          # Avoid rate-limiting on ghcr.io (https://github.com/aquasecurity/trivy-action/issues/389)
-          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+      - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
-          image-ref: launchdarkly/ld-relay:${{ matrix.tag }}
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
+          username: ${{ vars.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_RO_TOKEN }}
+      - uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2
+        with:
+          command: cves
+          image: launchdarkly/ld-relay:${{ matrix.tag }}
+          exit-code: true
+          only-fixed: true
+          write-comment: false