try loop

.github/workflows/dev-build.yaml

@@ -96,20 +96,25 @@ jobs:
       # Justifications https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#status-justifications
       - name: Add VEX attestations
         uses: docker/scout-cli-action@v1
-        env:
-          CVE_EXCEPTIONS: ${{ steps.cve-list.outputs.CVE_EXCEPTIONS }}
-        run: |
-          echo $CVE_EXCEPTIONS
-          curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
-          for cve in $CVE_EXCEPTIONS; do
-            for tag in "${{ join(fromJSON(steps.meta.outputs.json).tags, ' ') }}"; do
-              echo "Attaching VEX exception $cve to $tag"
-              docker scout attestation add \
-              --file "./docker/vex/$cve.vex.json" \
-              --predicate-type https://openvex.dev/ns/v0.2.0 \
-              $tag
-            done
-          done
-        shell: bash
+        with:
+          command: attestation-add
+          only-severity: critical,high
+          tags: ${{ steps.meta.outputs.tags }}
+          file: ./docker/vex/${{ matrix.cve }}.vex.json
+          predicate-type: https://openvex.dev/ns/v0.2.0
+        strategy:
+          matrix:
+            cve: ${{ fromJSON(format('[{0}]', steps.cve-list.outputs.CVE_EXCEPTIONS)) }}
 
-
+       # run: |
+        #   echo $CVE_EXCEPTIONS
+        #   curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
+        #   for cve in $CVE_EXCEPTIONS; do
+        #     for tag in "${{ join(fromJSON(steps.meta.outputs.json).tags, ' ') }}"; do
+        #       echo "Attaching VEX exception $cve to $tag"
+        #       docker scout attestation add \
+        #       --file "./docker/vex/$cve.vex.json" \
+        #       --predicate-type https://openvex.dev/ns/v0.2.0 \
+        #       $tag
+        #     done
+        #   done