It seems like there is no way to write the output in a chosen format to a file/env

[abrie-stubber]

The docker scout cves command supports the following --formats

--format string               Output format of the generated vulnerability report:
                                    - packages: default output, plain text with vulnerabilities grouped by packages
                                    - sarif: json Sarif output
                                    - spdx: json SPDX output
                                    - gitlab: json GitLab output
                                    - markdown: markdown output (including some html tags like collapsible sections)
                                    - sbom: json SBOM output

I believe many would like to choose their format and then write it to a file or the action env such that it can be used in later steps.
There does not seem to be any way to pass the output to following steps apart from the sarif-file option, which is not a very nice option if you want to do your own stuff.

[benja-M-1]

Hi @abrie-stubber I am sorry for the late answer.

There does not seem to be any way to pass the output to following steps

To be sure I understand, you mean that you want to dump it into a file, right?

docker scout cves has a --output (-o) option to write the content report to a file.
Also, you could simply use stdout redirection: docker scout cves ... > report.json.
When within a GitHub Action I believe you can redirect stdout to $GITHUB_OUTPUT as explained in https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-commands#setting-an-output-parameter

Let me know if that does not answers your request.