fix: only alert on CVEs that have a fix

.github/workflows/docker-build.yml

@@ -50,7 +50,10 @@ jobs:
         id: scan
         with:
           sbom: sbom.spdx.json
+          severity-cutoff: high
           fail-build: false
+          only-fixed: true
+          by-cve: true
 
       - name: upload Anchore scan SARIF report
         uses: github/codeql-action/upload-sarif@v2