feat: switch container scanning to grype #2

	---
	name: Security Scanning 🕵️

	on:
	push:
	branches:
	- main
	pull_request:
	branches:
	- main

	jobs:
	setup-matrix:
	runs-on: ubuntu-latest
	outputs:
	matrix: ${{ steps.set-matrix.outputs.matrix }}
	steps:
	- name: Source checkout
	uses: actions/checkout@v4

	- id: set-matrix
	run: echo "matrix=$(jq -c . build_versions.json)" >> $GITHUB_OUTPUT

	scan_ci_container:
	name: 'Scan CI container'
	runs-on: ubuntu-latest
	permissions:
	actions: read
	contents: read
	security-events: write
	needs: setup-matrix
	strategy:
	matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }}
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Build CI container
	uses: docker/build-push-action@v6
	with:
	tags: 'ci/pdc:${{ matrix.puppet_version }}'
	push: false
	build-args: \|
	PUPPET_RELEASE=${{ matrix.puppet_release }}
	PUPPET_VERSION=${{ matrix.puppet_version }}
	TERRAFORM_VERSION=${{ matrix.terraform_version }}
	PDK_VERSION=${{ matrix.pdk_version }}
	BOLT_VERSION=${{ matrix.bolt_version }}
	PUPPETDB_TERMINI_VERSION=${{ matrix.puppetdb_termini_version }}

	- name: Scan image with Anchore Grype
	uses: anchore/scan-action@v4
	id: scan
	with:
	image: 'ci/pdc:${{ matrix.puppet_version }}'
	fail-build: false

	- name: Inspect action SARIF report
	run: jq . ${{ steps.scan.outputs.sarif }}

	- name: Upload Anchore scan SARIF report
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: ${{ steps.scan.outputs.sarif }}

Provide feedback