diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f4391f2b..080e5217 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,13 +1,13 @@
 name: CI
 on:
   push:
-    branches: [ 'v8' ]
+    branches: ["v8"]
     paths-ignore:
-      - '**.md' # Don't run CI on markdown changes.
+      - "**.md" # Don't run CI on markdown changes.
   pull_request:
-    branches: [ 'v8', 'feat/**' ]
+    branches: ["v8", "feat/**"]
     paths-ignore:
-      - '**.md'
+      - "**.md"
 
 jobs:
   go-versions:
@@ -51,65 +51,69 @@ jobs:
       id-token: write
       contents: read
     with:
-      environment: 'staging'
+      environment: "staging"
       go-version: ${{ needs.go-versions.outputs.latest }}
 
-
   security-scan:
     needs: go-versions
     runs-on: ubuntu-latest
-    name: "Trivy Scan of Docker Image"
-    env:
-      # Avoid rate-limiting on ghcr.io (https://github.com/aquasecurity/trivy-action/issues/389)
-      TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+    name: "Docker Scout Scan"
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          fetch-tags: 'true'
+          fetch-tags: "true"
       - name: Setup Go ${{ inputs.go-version }}
         uses: actions/setup-go@v5
         with:
           go-version: ${{ needs.go-versions.outputs.latest }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
         with:
           platforms: linux/amd64,linux/arm64/v8,linux/arm/v7,linux/386
       - name: Build Docker Images
         run: make products-for-release
       - name: Get current Relay version
         id: image-tag
-        run:
-          echo "value=$(jq -r '.version' < dist/metadata.json)" >> $GITHUB_OUTPUT
-      - uses: aquasecurity/trivy-action@master
+        run: echo "value=$(jq -r '.version' < dist/metadata.json)" >> $GITHUB_OUTPUT
+      - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        with:
+          username: ${{ vars.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_RO_TOKEN }}
+      - uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2
         id: scan-alpine
         continue-on-error: true
         with:
+          command: cves
           # Using an explicit tag rather than ld-relay:latest to ensure we're scanning the local image that we just built.
           # It's not clear why, but it seems goreleaser doesn't create the :latest tag when skipping the publish step
           # as we do for CI, so the scan will end up checking the public image instead of the one we just built.
-          image-ref: launchdarkly/ld-relay:${{ steps.image-tag.outputs.value }}-amd64
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-      - uses: aquasecurity/trivy-action@master
+          image: local://launchdarkly/ld-relay:${{ steps.image-tag.outputs.value }}-amd64
+          exit-code: true
+          only-fixed: true
+          write-comment: false
+      - uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2
         id: scan-distroless
         continue-on-error: true
         with:
-          image-ref: launchdarkly/ld-relay:${{ steps.image-tag.outputs.value }}-static-debian12-nonroot-amd64
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-      - uses: aquasecurity/trivy-action@master
+          command: cves
+          image: local://launchdarkly/ld-relay:${{ steps.image-tag.outputs.value }}-static-debian12-nonroot-amd64
+          exit-code: true
+          only-fixed: true
+          write-comment: false
+      - uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2
         continue-on-error: true
         id: scan-debug-distroless
         with:
-          image-ref: launchdarkly/ld-relay:${{ steps.image-tag.outputs.value }}-static-debian12-debug-nonroot-amd64
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
+          command: cves
+          image: local://launchdarkly/ld-relay:${{ steps.image-tag.outputs.value }}-static-debian12-debug-nonroot-amd64
+          exit-code: true
+          only-fixed: true
+          write-comment: false
       - name: Fail if any of scan-alpine, scan-distroless, or scan-distroless-debug failed
         if: ${{ steps.scan-alpine.outcome != 'success' || steps.scan-distroless.outcome != 'success' || steps.scan-debug-distroless.outcome != 'success' }}
         run: exit 1
diff --git a/.github/workflows/daily-security-scan-alpine.yml b/.github/workflows/daily-security-scan-alpine.yml
index 48fbf6d5..163d74b8 100644
--- a/.github/workflows/daily-security-scan-alpine.yml
+++ b/.github/workflows/daily-security-scan-alpine.yml
@@ -11,14 +11,17 @@ jobs:
         tag: ['latest', 'latest-alpine', 'v8', 'v8-alpine']
       fail-fast: false
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: aquasecurity/trivy-action@master
-        env:
-          # Avoid rate-limiting on ghcr.io (https://github.com/aquasecurity/trivy-action/issues/389)
-          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+      - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
-          image-ref: launchdarkly/ld-relay:${{ matrix.tag }}
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
+          username: ${{ vars.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_RO_TOKEN }}
+      - uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2
+        with:
+          command: cves
+          image: launchdarkly/ld-relay:${{ matrix.tag }}
+          exit-code: true
+          only-fixed: true
+          write-comment: false
diff --git a/.github/workflows/daily-security-scan-distroless.yml b/.github/workflows/daily-security-scan-distroless.yml
index 2fda4b65..568145cd 100644
--- a/.github/workflows/daily-security-scan-distroless.yml
+++ b/.github/workflows/daily-security-scan-distroless.yml
@@ -11,14 +11,17 @@ jobs:
         tag: ['latest-static-debian12-nonroot', 'v8-static-debian12-debug-nonroot']
       fail-fast: false
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: aquasecurity/trivy-action@master
-        env:
-          # Avoid rate-limiting on ghcr.io (https://github.com/aquasecurity/trivy-action/issues/389)
-          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+      - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
-          image-ref: launchdarkly/ld-relay:${{ matrix.tag }}
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
+          username: ${{ vars.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_RO_TOKEN }}
+      - uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2
+        with:
+          command: cves
+          image: launchdarkly/ld-relay:${{ matrix.tag }}
+          exit-code: true
+          only-fixed: true
+          write-comment: false