chore: migrate container scanning from Snyk to Docker Scout (#124)

## Summary

Replace Snyk container vulnerability scanning with **Docker Scout** —
Docker's official first-party tool.

## Changes

- **Removed** `.github/workflows/snyk-container-analysis.yml`
- **Added** `.github/workflows/docker-scout.yml` using
`docker/scout-action@v1`
- **Updated** README badge from Snyk Container → Docker Scout

## Why

| | Snyk | Docker Scout |
|---|---|---|
| Vendor | 3rd party | **Docker (official)** |
| API token | Required (`SNYK_TOKEN`) | None needed for public repos |
| Free tier | Limited scans | Unlimited for public repos |

## Behavior

- Same triggers: push/PR to `main` on Dockerfile or workflow changes
- Same severity: `critical,high` only
- Same output: SARIF uploaded to GitHub Code Scanning
- Builds `xianpengshen/clang-tools:21` before scanning (same target as
before)

Author: shenxianpeng

.github/workflows/docker-scout.yml

@@ -0,0 +1,56 @@
+name: Docker Scout
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'Dockerfile*'
+      - '.github/workflows/docker-scout.yml'
+  pull_request:
+    branches: [main]
+    paths:
+      - 'Dockerfile*'
+      - '.github/workflows/docker-scout.yml'
+
+permissions:
+  contents: read
+  pull-requests: write
+  security-events: write
+
+jobs:
+  scout:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+
+      - name: Build image
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        with:
+          file: Dockerfile
+          build-args: |
+            BASE_IMAGE=ubuntu:questing
+            CLANG_VERSION=21
+          load: true
+          tags: xianpengshen/clang-tools:21
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Docker Scout CVEs
+        uses: docker/scout-action@bacf462e8d090c09660de30a6ccc718035f961e3 # v1.20.4
+        with:
+          command: cves
+          image: xianpengshen/clang-tools:21
+          sarif-file: scout.sarif
+          only-severities: critical,high
+
+      - name: Upload SARIF to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@03e4368ac7daa2bd82b3e85262f3bf87ee112f57 # v3.35.1
+        with:
+          sarif_file: scout.sarif

.github/workflows/snyk-container-analysis.yml

@@ -4,7 +4,7 @@
 [![GitHub Repo](https://img.shields.io/badge/GitHub%20Repo-URL-blue?logo=github)](https://github.com/cpp-linter/clang-tools-docker)
 ![Maintenance](https://img.shields.io/maintenance/yes/2026)
 [![CI](https://github.com/cpp-linter/clang-tools-docker/actions/workflows/CI.yml/badge.svg)](https://github.com/cpp-linter/clang-tools-docker/actions/workflows/CI.yml)
-[![Snyk Container](https://github.com/cpp-linter/clang-tools-docker/actions/workflows/snyk-container-analysis.yml/badge.svg)](https://github.com/cpp-linter/clang-tools-docker/actions/workflows/snyk-container-analysis.yml)
+[![Docker Scout](https://github.com/cpp-linter/clang-tools-docker/actions/workflows/docker-scout.yml/badge.svg)](https://github.com/cpp-linter/clang-tools-docker/actions/workflows/docker-scout.yml)
 
 🐳 **Clang Tools Docker Image**: This Docker image comes pre-installed with essential clang tools, including `clang-format` and `clang-tidy`.