[mod] ci: strict(er) exec (#5099)

All actions are pulled using the version hash, versions are handled by
dependabot, and we'll have control over which actions get updated.

Replaces Trivy scanner with Docker Scout, we have recently begun analyzing the
images there, and the action will keep us in sync about the problems on GHCS
dashboard.

1 files changed, 13 insertions, 11 deletions

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 669d0f293..8a59e5062 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -24,21 +24,23 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           persist-credentials: "false"
 
-      - name: Run Trivy scanner
-        uses: aquasecurity/trivy-action@0.32.0
+      - name: Sync GHCS from Docker Scout
+        uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de  # v1.18.2
         with:
-          image-ref: "ghcr.io/searxng/searxng:latest"
-          vuln-type: "os,library"
-          severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
-          ignore-unfixed: "false"
-          format: "sarif"
-          output: "./trivy-results.sarif"
+          organization: "searxng"
+          dockerhub-user: "${{ secrets.DOCKERHUB_USERNAME }}"
+          dockerhub-password: "${{ secrets.DOCKERHUB_TOKEN }}"
+          image: "registry://ghcr.io/searxng/searxng:latest"
+          command: "cves"
+          sarif-file: "./scout.sarif"
+          exit-code: "false"
+          write-comment: "false"
 
       - name: Upload SARIFs
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@a4e1a019f5e24960714ff6296aee04b736cbc3cf  # v3.29.6
         with:
-          sarif_file: "./trivy-results.sarif"
+          sarif_file: "./scout.sarif"