Scans only work with amd64 images

[thespad]

Behaviour

Steps to reproduce this issue

1. Build an image with only arm64 and/or arm32 manifests
2. Run scan action against it

Expected behaviour

Scanning should be possible as trivy provide arm binaries

Actual behaviour

Error: 2021-12-13T23:32:23.703Z FATAL scan error: unable to initialize a scanner: unable to initialize a docker scanner: 3 errors occurred:
* unable to inspect the image (ghcr.io/thespad/dive:v0.10.0-spad003): Error: No such image: ghcr.io/thespad/dive:v0.10.0-spad003
* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
* no child with platform linux/amd64 in index ghcr.io/thespad/dive:v0.10.0-spad003

Configuration

• Repository URL (if public): https://github.com/TheSpad/docker-dive
• Build URL (if public): https://github.com/TheSpad/docker-dive/runs/4513428777?check_suite_focus=true

      -
        name: Scan for vulnerabilities
        uses: crazy-max/ghaction-container-scan@v1
        with:
          image: ${{ fromJSON(steps.docker_meta.outputs.json).tags[0] }}

Logs

logs_72.zip

[crazy-max]

Hum yeah that might be an issue with the container scanner. Can you try with:

      -
        name: Build and push
        uses: docker/[email protected]
        with:
          files: |
            ./docker-bake.hcl
            ${{ steps.docker_meta.outputs.bake-file }}
          targets: image-all
          push: true
      -
        name: OCI
        uses: docker/[email protected]
        with:
          files: |
            ./docker-bake.hcl
            ${{ steps.docker_meta.outputs.bake-file }}
          targets: image-all
          set: *.output=type=oci,dest=/tmp/image.tar
      -
        name: Scan for vulnerabilities
        uses: crazy-max/ghaction-container-scan@v1
        with:
          tarball: /tmp/image.tar

The OCI step should be pretty fast as the image is already built in the previous step.

Or you can build your image matching the current platform and build and push the multi-platform one after that: https://github.com/crazy-max/ghaction-container-scan#build-scan-and-push-your-image

[thespad]

Yeah I'd like to try and avoid building for amd64 in this instance just to scan it and then throw it away.

Tried your suggestion but

Error: 2021-12-21T10:17:33.199Z	FATAL	scan error: unable to initialize a scanner: unable to initialize the archive scanner: 2 errors occurred:
	* unable to open /tmp/image.tar as a Docker image: file manifest.json not found in tar
	* unable to open /tmp/image.tar as an OCI Image: stat /tmp/image.tar/index.json: not a directory

Full logs:
logs_81.zip

[crazy-max]

avoid building for amd64 in this instance just to scan it and then throw it away.

Yeah you right, we might need a multi exporter on BuildKit to handle that easily: moby/buildkit#1555

[frankgrimes97]

Hi, it appears that the upstream bug/limitation has now been addressed (moby/buildkit#1555, moby/buildkit#4134)... any work still needed on your side to complete support for this or can this issue now be marked as closed/resolved?

[maggie44]

Still appears to be trying to use amd64 images, even though on an arm GitHub action.