feat: add Docker Hub authentication for Docker Scout

kristiyan-velkov · kristiyan-velkov · commit 7dc40ecd6f6b · 2025-11-09T21:46:57.000+02:00
- Add docker/login-action before Scout scan for authentication
- Update documentation to explain Scout requires Docker Hub auth
- Clarify DOCKER_USERNAME and DOCKERHUB_TOKEN are used by security.yml
- Scout will work properly when Docker Hub secrets are configured
diff --git a/.github/SECRETS_AND_VARIABLES.md b/.github/SECRETS_AND_VARIABLES.md
@@ -77,10 +77,18 @@ If you want to deploy images to Docker Hub, you need these secrets:
 
 **Impact if not set:**
 
-- CI workflows (lint, test, build, security) will work fine
+- CI workflows (lint, test, build) will work fine
+- Security workflow will work with limitations (Docker Scout may fail)
 - Only CD workflow (deployment) will fail
 - You can skip these if you don't need to push images to Docker Hub
 
+**Docker Scout Note:**
+
+- Docker Scout requires authentication to work properly
+- The same `DOCKER_USERNAME` and `DOCKERHUB_TOKEN` are used for Scout
+- Without these secrets, Scout will show "not entitled" error
+- The workflow continues with graceful fallback (doesn't block CI)
+
 ---
 
 ## 🔐 Automatic Secrets
@@ -486,12 +494,14 @@ git push origin v1.0.0
 | Secret                   | Required    | Used By            | Purpose                     | Get From            |
 | ------------------------ | ----------- | ------------------ | --------------------------- | ------------------- |
 | `GITHUB_TOKEN`           | ✅ Auto     | All workflows      | GitHub API access           | Automatic           |
-| `DOCKER_USERNAME`        | ✅ For CD   | cd.yml             | Docker Hub login            | hub.docker.com      |
-| `DOCKERHUB_TOKEN`        | ✅ For CD   | cd.yml             | Docker Hub push access      | hub.docker.com      |
+| `DOCKER_USERNAME`        | ✅ For CD   | cd.yml, security.yml | Docker Hub login          | hub.docker.com      |
+| `DOCKERHUB_TOKEN`        | ✅ For CD   | cd.yml, security.yml | Docker Hub push access    | hub.docker.com      |
 | `DOCKERHUB_PROJECT_NAME` | ✅ For CD   | cd.yml             | Docker Hub project name     | hub.docker.com      |
 | `SNYK_TOKEN`             | ⚠️ Optional | security.yml       | Snyk vulnerability scanning | snyk.io             |
 | `OPENAI_API_KEY`         | ⚠️ Optional | ai-code-review.yml | AI-powered code reviews     | platform.openai.com |
 
+> **Note:** `DOCKER_USERNAME` and `DOCKERHUB_TOKEN` are also used by `security.yml` to authenticate Docker Scout scans.
+
 ---
 
 ## 🎯 Workflow Capabilities by Setup Level
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -27,6 +27,13 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
+      - name: Log in to Docker Hub (for Docker Scout)
+        uses: docker/login-action@v3
+        continue-on-error: true
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
       - name: Build production image for scanning
         run: docker compose build react-prod
 
