From a220e5de991f56b2a21902e34c49aa4310f04716 Mon Sep 17 00:00:00 2001
From: nessi <sascha@nesterovic.cc>
Date: Sat, 14 Feb 2026 18:31:10 +0100
Subject: [PATCH] Add Docker Hub authentication for Scout scans

This update ensures Docker Scout scans use Docker Hub authentication. If the required credentials are absent, the scans are skipped with a corresponding message. This improves security and prevents unnecessary scan failures.
---
 .../container-cve-scan-development.yml        | 33 +++++++++++++++----
 1 file changed, 27 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/container-cve-scan-development.yml b/.github/workflows/container-cve-scan-development.yml
index 3104430..0ad28f1 100644
--- a/.github/workflows/container-cve-scan-development.yml
+++ b/.github/workflows/container-cve-scan-development.yml
@@ -17,6 +17,13 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
+      - name: Docker Hub login (for Scout)
+        if: ${{ secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }}
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
       - name: Build backend image (local)
         uses: docker/build-push-action@v6
         with:
@@ -86,16 +93,30 @@ jobs:
           PY
 
       - name: Docker Scout scan (backend)
-        continue-on-error: true
         run: |
-          docker run --rm -v /var/run/docker.sock:/var/run/docker.sock docker/scout-cli:latest \
-            cves nexapg-backend:dev-scan --only-severity critical,high,medium,low > scout-backend.txt
+          if [ -z "${{ secrets.DOCKERHUB_USERNAME }}" ] || [ -z "${{ secrets.DOCKERHUB_TOKEN }}" ]; then
+            echo "Docker Hub Scout scan skipped: DOCKERHUB_USERNAME/DOCKERHUB_TOKEN not set." > scout-backend.txt
+            exit 0
+          fi
+          docker run --rm \
+            -v /var/run/docker.sock:/var/run/docker.sock \
+            -e DOCKER_SCOUT_HUB_USER="${{ secrets.DOCKERHUB_USERNAME }}" \
+            -e DOCKER_SCOUT_HUB_PAT="${{ secrets.DOCKERHUB_TOKEN }}" \
+            docker/scout-cli:latest cves nexapg-backend:dev-scan \
+            --only-severity critical,high,medium,low > scout-backend.txt
 
       - name: Docker Scout scan (frontend)
-        continue-on-error: true
         run: |
-          docker run --rm -v /var/run/docker.sock:/var/run/docker.sock docker/scout-cli:latest \
-            cves nexapg-frontend:dev-scan --only-severity critical,high,medium,low > scout-frontend.txt
+          if [ -z "${{ secrets.DOCKERHUB_USERNAME }}" ] || [ -z "${{ secrets.DOCKERHUB_TOKEN }}" ]; then
+            echo "Docker Hub Scout scan skipped: DOCKERHUB_USERNAME/DOCKERHUB_TOKEN not set." > scout-frontend.txt
+            exit 0
+          fi
+          docker run --rm \
+            -v /var/run/docker.sock:/var/run/docker.sock \
+            -e DOCKER_SCOUT_HUB_USER="${{ secrets.DOCKERHUB_USERNAME }}" \
+            -e DOCKER_SCOUT_HUB_PAT="${{ secrets.DOCKERHUB_TOKEN }}" \
+            docker/scout-cli:latest cves nexapg-frontend:dev-scan \
+            --only-severity critical,high,medium,low > scout-frontend.txt
 
       - name: Print scan summary
         run: |