fix: Docker Scout authentication & CI permissions

kristiyan-velkov · kristiyan-velkov · commit 2b6aa1e216c3 · 2025-11-09T21:42:21.000+02:00
- Add continue-on-error to all Docker Scout steps (handle free tier limits)
- Fix SARIF upload to check if file exists before uploading
- Add actions: read permission to security job in CI workflow

Fixes:
- Docker Scout 'not entitled' error won't block workflow
- CI permissions error for snyk-scan job
- Graceful degradation when Scout quota exceeded
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -28,14 +28,14 @@ jobs:
             contents: read
             pull-requests: write
             checks: write
-            
+
     test:
         name: Tests & Coverage
         uses: ./.github/workflows/test.yml
         permissions:
             contents: read
             pull-requests: write
-            
+
     build:
         name: Build Validation
         uses: ./.github/workflows/build.yml
@@ -50,6 +50,7 @@ jobs:
             contents: read
             pull-requests: write
             security-events: write
+            actions: read
 
     # Final validation step
     ci-success:
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -32,6 +32,7 @@ jobs:
 
       - name: Docker Scout - Quickview
         uses: docker/scout-action@v1
+        continue-on-error: true
         with:
           command: quickview
           image: docker-reactjs-sample
@@ -41,6 +42,7 @@ jobs:
 
       - name: Docker Scout - CVEs Analysis
         uses: docker/scout-action@v1
+        continue-on-error: true
         with:
           command: cves
           image: docker-reactjs-sample
@@ -53,6 +55,7 @@ jobs:
 
       - name: Docker Scout - Base Image Recommendations
         uses: docker/scout-action@v1
+        continue-on-error: true
         with:
           command: recommendations
           image: docker-reactjs-sample
@@ -61,6 +64,7 @@ jobs:
 
       - name: Docker Scout - Compare to Latest
         uses: docker/scout-action@v1
+        continue-on-error: true
         if: github.event_name == 'pull_request'
         with:
           command: compare
@@ -73,7 +77,7 @@ jobs:
 
       - name: Upload Scout SARIF results to GitHub Security
         uses: github/codeql-action/upload-sarif@v3
-        if: always()
+        if: always() && hashFiles('scout-cves.sarif') != ''
         with:
           sarif_file: scout-cves.sarif
           category: docker-scout
