install scout instead of distributing

action.yaml

@@ -172,9 +172,62 @@ inputs:
     required: false
 
 runs:
-  using: node20
-  main: index.js
-
-branding:
-  icon: shield
-  color: gray-dark
+  using: composite
+  steps:
+    - uses: ./actions/install
+      id: install-scout
+      name: Install Docker Scout
+      with:
+        digest: 91fd9f3
+    - uses: ./actions/run
+      id: run-scout
+      name: Run Docker Scout
+      with:
+        command: ${{ inputs.command }}
+        debug: ${{ inputs.debug }}
+        verbose-debug: ${{ inputs.verbose-debug }}
+        summary: ${{ inputs.summary }}
+        organization: ${{ inputs.organization }}
+        image: ${{ inputs.image }}
+        platform: ${{ inputs.platform }}
+        ref: ${{ inputs.ref }}
+        to: ${{ inputs.to }}
+        to-ref: ${{ inputs.to-ref }}
+        to-stream: ${{ inputs.to-stream }}
+        to-env: ${{ inputs.to-env }}
+        to-latest: ${{ inputs.to-latest }}
+        stream: ${{ inputs.stream }}
+        environment: ${{ inputs.environment }}
+        hide-policies: ${{ inputs.hide-policies }}
+        ignore-base: ${{ inputs.ignore-base }}
+        ignore-unchanged: ${{ inputs.ignore-unchanged }}
+        only-vex-affected: ${{ inputs.only-vex-affected }}
+        vex-author: ${{ inputs.vex-author }}
+        vex-location: ${{ inputs.vex-location }}
+        only-fixed: ${{ inputs.only-fixed }}
+        only-unfixed: ${{ inputs.only-unfixed }}
+        only-severities: ${{ inputs.only-severities }}
+        only-package-types: ${{ inputs.only-package-types }}
+        only-cisa-kev: ${{ inputs.only-cisa-kev }}
+        exit-code: ${{ inputs.exit-code }}
+        exit-on: ${{ inputs.exit-on }}
+        sarif-file: ${{ inputs.sarif-file }}
+        format: ${{ inputs.format }}
+        output: ${{ inputs.output }}
+        secrets: ${{ inputs.secrets }}
+        tags: ${{ inputs.tags }}
+        file: ${{ inputs.file }}
+        predicate-type: ${{ inputs.predicate-type }}
+        referrer: ${{ inputs.referrer }}
+        referrer-repository: ${{ inputs.referrer-repository }}
+        registry-write-user: ${{ inputs.registry-write-user }}
+        registry-write-password: ${{ inputs.registry-write-password }}
+        dockerhub-user: ${{ inputs.dockerhub-user }}
+        dockerhub-password: ${{ inputs.dockerhub-password }}
+        registry-user: ${{ inputs.registry-user }}
+        registry-password: ${{ inputs.registry-password }}
+        github-token: ${{ inputs.github-token }}
+        write-comment: ${{ inputs.write-comment }}
+        keep-previous-comments: ${{ inputs.keep-previous-comments }}
+
+

actions/install/action.yaml

@@ -0,0 +1,62 @@
+# https://help.github.com/en/articles/metadata-syntax-for-github-actions
+name: 'Install Docker Scout'
+description: 'Install docker scout CLI'
+
+inputs:
+  digest:
+    description: digest
+    required: true
+
+runs:
+  using: composite
+  steps:
+    -
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
+      id: run
+      with:
+        script: |
+          const fs = require('fs');
+          const os = require('os');
+          const path = require('path');
+
+          await core.group(`Pull docker/scout-cli image`, async () => {
+            await exec.exec(`docker pull docker.io/docker/scout-cli@${{ inputs.digest }}`);
+          });
+
+          await core.group(`Copy binary`, async () => {
+            const res = await exec.getExecOutput('docker', ['create', 'docker.io/docker/scout-cli@${{ inputs.digest }}'], {
+              ignoreReturnCode: true
+            });
+            if (res.stderr.length > 0 && res.exitCode != 0) {
+              throw new Error(res.stderr);
+            }
+            const ctnid = res.stdout.trim();
+            const dockerCfgPath = process.env.DOCKER_CONFIG || path.join(os.homedir(), '.docker');
+            const pluginsPath = path.join(dockerCfgPath, 'cli-plugins');
+            fs.mkdirSync(pluginsPath, {recursive: true});
+            await exec.exec(`docker cp ${ctnid}:/docker-scout ${pluginsPath}`);
+            await exec.exec(`docker rm -v ${ctnid}`);
+          });
+
+          await core.group(`Docker info`, async () => {
+            await exec.exec(`docker info`);
+          });
+
+          let version;
+          await core.group(`Docker scout version`, async () => {
+            const res = await exec.getExecOutput('docker', ['scout', 'version'], {
+              ignoreReturnCode: true,
+              silent: true
+            });
+            if (res.stderr.length > 0 && res.exitCode != 0) {
+              throw new Error(res.stderr);
+            }
+            const matchVersion = res.stdout.trim().match(/version:\s(.*?)\s/);
+            version = matchVersion ? matchVersion[1] : null;
+            if (!version) {
+              throw new Error('Failed to get Docker scout version');
+            }
+            core.info(version);
+          });
+
+          // TODO: cache binary