crazy-max
Scans only work with amd64 images
Behaviour
Steps to reproduce this issue
- Build an image with only arm64 and/or arm32 manifests
- Run scan action against it
Expected behaviour
Scanning should be possible as trivy provide arm binaries
Actual behaviour
Error: 2021-12-13T23:32:23.703Z FATAL scan error: unable to initialize a scanner: unable to initialize a docker scanner: 3 errors occurred: * unable to inspect the image (ghcr.io/thespad/dive:v0.10.0-spad003): Error: No such image: ghcr.io/thespad/dive:v0.10.0-spad003 * unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory * no child with platform linux/amd64 in index ghcr.io/thespad/dive:v0.10.0-spad003
Configuration
- Repository URL (if public): https://github.com/TheSpad/docker-dive
- Build URL (if public): https://github.com/TheSpad/docker-dive/runs/4513428777?check_suite_focus=true
-
name: Scan for vulnerabilities
uses: crazy-max/ghaction-container-scan@v1
with:
image: ${{ fromJSON(steps.docker_meta.outputs.json).tags[0] }}
Logs
Hum yeah that might be an issue with the container scanner. Can you try with:
-
name: Build and push
uses: docker/[email protected]
with:
files: |
./docker-bake.hcl
${{ steps.docker_meta.outputs.bake-file }}
targets: image-all
push: true
-
name: OCI
uses: docker/[email protected]
with:
files: |
./docker-bake.hcl
${{ steps.docker_meta.outputs.bake-file }}
targets: image-all
set: *.output=type=oci,dest=/tmp/image.tar
-
name: Scan for vulnerabilities
uses: crazy-max/ghaction-container-scan@v1
with:
tarball: /tmp/image.tar
The OCI step should be pretty fast as the image is already built in the previous step.
Or you can build your image matching the current platform and build and push the multi-platform one after that: https://github.com/crazy-max/ghaction-container-scan#build-scan-and-push-your-image
Yeah I'd like to try and avoid building for amd64 in this instance just to scan it and then throw it away.
Tried your suggestion but
Error: 2021-12-21T10:17:33.199Z FATAL scan error: unable to initialize a scanner: unable to initialize the archive scanner: 2 errors occurred:
* unable to open /tmp/image.tar as a Docker image: file manifest.json not found in tar
* unable to open /tmp/image.tar as an OCI Image: stat /tmp/image.tar/index.json: not a directory
Full logs: logs_81.zip
avoid building for amd64 in this instance just to scan it and then throw it away.
Yeah you right, we might need a multi exporter on BuildKit to handle that easily: https://github.com/moby/buildkit/issues/1555
Hi, it appears that the upstream bug/limitation has now been addressed (https://github.com/moby/buildkit/issues/1555, https://github.com/moby/buildkit/pull/4134)... any work still needed on your side to complete support for this or can this issue now be marked as closed/resolved?
Still appears to be trying to use amd64 images, even though on an arm GitHub action.
