Investigate Docker Scout

Can we use Docker Scout in addition to trivy for vulnerability scanning during the build process, particularly since we control the build environment.

Useful links:

• https://docs.docker.com/scout/
• https://docs.docker.com/scout/integrations/ci/gha/

[reukiodo]

Trivy is what Palantir uses for CVE scanning and why we use it. It wouldn't hurt to add another, but replacing trivy could prove problematic in the future if Scout and trivy are using differen CVE sources.

Yeah I would just want to add it as a supplement since they do use different sources. Docker Scout also requires you to be logged into a Docker account so it may pose issues in our CI/CD but at least locally we can run it rather simply as another check.

Just an observation is that with the latest images Docker Scout does detect HIGH CVEs and Trivvy doesn't detect any errors at all.

[reukiodo]

can you add a step in degauss and postgis jobs for Docker Scout?

This should be reviewable now in two scripts on the perf-testing (#17) PR.

NOTE: Docker Scout requires you to be logged in to docker so I'd assume we would need to set that up on the build server

Looks like this is resolved w/ closing #17 .