docker scout

.devcontainer/devcontainer.json

@@ -16,7 +16,9 @@
 	"customizations": {
 		"vscode": {
 			"extensions": [
-				"redhat.vscode-yaml"
+				"redhat.vscode-yaml",
+				"ms-azuretools.vscode-containers",
+				"docker.docker"
 			],
 			"settings": {
 				"yaml.schemas": {

.devcontainer/installMoreTools.sh

@@ -23,5 +23,8 @@ sudo mv ./kind /usr/local/bin/kind
 sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq
 sudo chmod +x /usr/bin/yq
 
+sudo curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
+sh install-scout.sh
+
 cd ..
 rm -rf install-more-tools

.github/workflows/open-pr.yml

@@ -8,6 +8,55 @@ env:
   SCORE_K8S_VERSION: 'latest'
   WORKLOAD_NAME: my-sample-workload
 jobs:
+  scan-and-compare:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: checkout code
+        uses: actions/checkout@v5
+      - name: Set up Docker
+        uses: docker/setup-docker-action@v4
+        with:
+          daemon-config: |
+            {
+              "debug": true,
+              "features": {
+                "containerd-snapshotter": true
+              }
+            }
+      - name: docker login
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USER }}
+          password: ${{ secrets.DOCKER_PAT }}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Build container image
+        uses: docker/build-push-action@v6
+        with:
+          context: app/
+          push: false
+          load: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          provenance: mode=max
+          sbom: true
+          tags: ${{ env.WORKLOAD_NAME }}:test
+      - name: docker images
+        run: |
+          docker images
+      - name: Docker Scout
+        id: docker-scout
+        if: ${{ github.event_name == 'pull_request' }}
+        uses: docker/scout-action@v1
+        with:
+          command: quickview
+          image: local://${{ env.WORKLOAD_NAME }}:test
+          to: ghcr.io/mathieu-benoit/my-sample-workload:latest
+          write-comment: true
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: docker scout version
+        run: |
+          docker scout version
   multi-arch-build:
     runs-on: ubuntu-latest
     steps:
@@ -24,6 +73,8 @@ jobs:
           platforms: linux/amd64,linux/arm64
           file: app/Dockerfile
           push: false
+          provenance: mode=max
+          sbom: true
           tags: "${{ env.WORKLOAD_NAME }}:test"
   make-compose-test:
     runs-on: ubuntu-24.04
@@ -47,7 +98,7 @@ jobs:
     steps:
       - name: checkout code
         uses: actions/checkout@v5
-      - name: make kind-create-cluster
+      - name: docker build
         run: |
           docker build -t ${{ env.WORKLOAD_NAME }}:test app/
       - name: make kind-create-cluster

Makefile

@@ -15,6 +15,16 @@ WORKLOAD_NAME = my-sample-workload
 CONTAINER_NAME = my-sample-container
 CONTAINER_IMAGE = ${WORKLOAD_NAME}:test
 
+## Manually build the container image.
+.PHONY: build-container
+build-container:
+	docker build -t ${CONTAINER_IMAGE} --sbom=true --provenance=true app/
+
+## Manually buildx the container image.
+.PHONY: buildx-container
+buildx-container:
+	docker buildx build -t ${CONTAINER_IMAGE} --load --attest type=provenance,mode=max app/
+
 .score-compose/state.yaml:
 	score-compose init \
 		--no-sample \