NH-96772: add docker scout

.github/workflows/release.yml

@@ -386,8 +386,8 @@ jobs:
 
   docker_hub:
     runs-on: ubuntu-latest
-    needs:
-      - github_release
+#    needs:
+#      - github_release
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -414,13 +414,44 @@ jobs:
           username: ${{ secrets.DOCKER_HUB_CI_USER }}
           password: ${{ secrets.DOCKER_HUB_CI_PASSWORD }}
 
-      - name: Build and push
-        uses: docker/build-push-action@v5
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v4
         with:
-          push: true
-          context: agent
-          platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
-          tags: ${{ github.repository_owner }}/autoinstrumentation-java:${{ steps.set_version.outputs.version }},${{ github.repository_owner }}/autoinstrumentation-java:latest
+          images: ${{ github.repository_owner }}/autoinstrumentation-java
+          tags: |
+            type=raw,value=${{ steps.set_version.outputs.version }}
+            type=raw,value=latest
+          labels: |
+            maintainer=swo-librarians
+            org.opencontainers.image.title=apm-java
+            org.opencontainers.image.description=Solarwinds OTEL distro Java agent
+            org.opencontainers.image.vendor=SolarWinds Worldwide, LLC
+
+#      - name: Build and push
+#        uses: docker/build-push-action@v5
+#        with:
+#          push: true
+#          context: agent
+#          platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
+#          tags: ${{ steps.meta.outputs.tags }}
+#          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Analyze for critical and high CVEs
+        id: docker-scout-cves
+        uses: docker/scout-action@v1
+        with:
+          command: cves
+          image: ${{ steps.meta.outputs.tags }}
+          sarif-file: sarif.output.json
+          platform: "linux/amd64"
+          summary: true
+
+      - name: Upload SARIF result
+        id: upload-sarif
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: sarif.output.json
 
   ghrc_io:
     runs-on: ubuntu-latest