BREAKING CHANGE: Starting with v0.72.0, releases no longer publish architecture-specific image tags #10824
nikpivkin
announced in
Announcements
BREAKING CHANGE: Starting with v0.72.0, releases no longer publish architecture-specific image tags
#10824
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Motivation
Trivy container images are published as multi-arch images. A multi-arch image is an image index (manifest list) that references one single-arch manifest per platform. The recommended way to consume Trivy has always been the plain tag (e.g.
aquasec/trivy:0.72.0), which lets the registry resolve the correct architecture automatically.Until now, the release process also published separate architecture-specific tags with a platform suffix (e.g.
0.71.0-amd64,latest-arm64) before merging them into the manifest list. As part of migrating the release pipeline todocker buildx, the multi-arch image is now built and pushed directly, and these per-arch tags are dropped. This applies to all registries where Trivy images are published:docker.io/aquasec/trivyghcr.io/aquasecurity/trivypublic.ecr.aws/aquasecurity/trivyTo be precise: the single-arch images themselves do not go away. They are still built and pushed to the registry — they are just referenced by digest from the image index instead of carrying their own tag.
Who is affected
Only users who pin an architecture-specific tag, such as:
Starting with v0.72.0, these suffixed tags are no longer published for new releases. Tags from previous releases remain available, but no new ones will be created.
If you already use the plain tag (e.g.
aquasec/trivy:0.72.0oraquasec/trivy:latest), no action is needed.What to do
Switch to the plain tag and let the registry resolve the right architecture for the host:
docker pull aquasec/trivy:0.72.0 # or: ghcr.io/aquasecurity/trivy:0.72.0, public.ecr.aws/aquasecurity/trivy:0.72.0If you need to pin a specific architecture explicitly, reference the single-arch image by its digest from the manifest list:
This prints the digest of each platform's manifest, which you can then pull directly (e.g.
aquasec/trivy@sha256:...).Beta Was this translation helpful? Give feedback.
All reactions