Investigate Docker Scout

[nanth-uw]

Can we use Docker Scout in addition to trivy for vulnerability scanning during the build process, particularly since we control the build environment.

Useful links:

• https://docs.docker.com/scout/
• https://docs.docker.com/scout/integrations/ci/gha/

[reukiodo]

Trivy is what Palantir uses for CVE scanning and why we use it. It wouldn't hurt to add another, but replacing trivy could prove problematic in the future if Scout and trivy are using differen CVE sources.

[nanth-uw]

Yeah I would just want to add it as a supplement since they do use different sources. Docker Scout also requires you to be logged into a Docker account so it may pose issues in our CI/CD but at least locally we can run it rather simply as another check.