Question: scanning unpublished buildah-constructed images as part of workflows?

[jayaddison]

Is it possible to use anchore/scan-action (v3) to scan unpublished images that have been built by buildah during a GitHub Actions workflow?

(I experimentally attempted to do this in grocy/grocy-docker#173 -- when the pipeline ran, grype attempted to pull from a DockerSource image source by default, and that failed. It seems like images must be accessible somehow, since there's an existing push-to-registry step in the same workflow that is able to read image outputs from previous job steps.

Please note: I've some vague notions about the differences between OCI and Docker, and I use the buildah and podman command-line tools a bit locally, but I don't really understand the way that container images are stored, served and retrieved in practice.