Update CVE scanning workflow to use JSON format and new tools

Replaced Trivy output format from table to JSON for better processing. Added a summary step to parse and count severities using a Python script. Integrated Docker Scout scans for both backend and frontend, and updated uploaded artifacts to include the new JSON and Scout scan outputs.

.github/workflows/container-cve-scan-development.yml

@@ -45,8 +45,8 @@ jobs:
         uses: aquasecurity/trivy-action@0.24.0
         with:
           image-ref: nexapg-backend:dev-scan
-          format: table
-          output: trivy-backend.txt
+          format: json
+          output: trivy-backend.json
           severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
           ignore-unfixed: false
           exit-code: 0
@@ -55,24 +55,62 @@ jobs:
         uses: aquasecurity/trivy-action@0.24.0
         with:
           image-ref: nexapg-frontend:dev-scan
-          format: table
-          output: trivy-frontend.txt
+          format: json
+          output: trivy-frontend.json
           severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
           ignore-unfixed: false
           exit-code: 0
 
+      - name: Summarize Trivy severities
+        run: |
+          python - <<'PY'
+          import json
+          from collections import Counter
+          
+          def summarize(path):
+              c = Counter()
+              with open(path, "r", encoding="utf-8") as f:
+                  data = json.load(f)
+              for result in data.get("Results", []):
+                  for v in result.get("Vulnerabilities", []) or []:
+                      c[v.get("Severity", "UNKNOWN")] += 1
+              for sev in ["CRITICAL", "HIGH", "MEDIUM", "LOW", "UNKNOWN"]:
+                  c.setdefault(sev, 0)
+              return c
+          
+          for label, path in [("backend", "trivy-backend.json"), ("frontend", "trivy-frontend.json")]:
+              s = summarize(path)
+              print(f"===== Trivy {label} =====")
+              print(f"CRITICAL={s['CRITICAL']} HIGH={s['HIGH']} MEDIUM={s['MEDIUM']} LOW={s['LOW']} UNKNOWN={s['UNKNOWN']}")
+              print()
+          PY
+
+      - name: Docker Scout scan (backend)
+        continue-on-error: true
+        run: |
+          docker run --rm -v /var/run/docker.sock:/var/run/docker.sock docker/scout-cli:latest \
+            cves nexapg-backend:dev-scan --only-severity critical,high,medium,low > scout-backend.txt
+
+      - name: Docker Scout scan (frontend)
+        continue-on-error: true
+        run: |
+          docker run --rm -v /var/run/docker.sock:/var/run/docker.sock docker/scout-cli:latest \
+            cves nexapg-frontend:dev-scan --only-severity critical,high,medium,low > scout-frontend.txt
+
       - name: Print scan summary
         run: |
-          echo "===== Backend CVE Scan ====="
-          cat trivy-backend.txt
+          echo "===== Docker Scout backend ====="
+          test -f scout-backend.txt && cat scout-backend.txt || echo "scout-backend.txt not available"
           echo
-          echo "===== Frontend CVE Scan ====="
-          cat trivy-frontend.txt
+          echo "===== Docker Scout frontend ====="
+          test -f scout-frontend.txt && cat scout-frontend.txt || echo "scout-frontend.txt not available"
 
       - name: Upload scan reports
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v3
         with:
           name: container-cve-scan-reports
           path: |
-            trivy-backend.txt
-            trivy-frontend.txt
+            trivy-backend.json
+            trivy-frontend.json
+            scout-backend.txt
+            scout-frontend.txt