Image misconfiguration fails scanning Iron Bank images

[candrews]

Description

Trivy isn't able to scan Iron Bank images correctly.

Trivy appears to be misparsing the directives; I believe Trivy should stop parsing when it encounters a pipe (|) symbol.

For some images (ex registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.6), Trivy's image misconfiguration scan reports findings like this:
AVD-DS-0011 (CRITICAL): Slash is expected at the end of COPY command argument '|clamp-mtime=1755780386'

For other images (ex registry1.dso.mil/ironbank/opensource/aquasec/trivy:0.66.0), Trivy's image misconfiguration fails entirely with:

2025-09-15T11:04:26-04:00	ERROR	[dockerfile scanner] Failed to parse file	file_path="Dockerfile" err="parse dockerfile instruction: Unknown type \"NONE|CLAMP-MTIME=1756905379\" in HEALTHCHECK (try CMD)"

I do not know exactly how these images were built, and they are not anonymously accessible which makes this issue challenging to reproduce. I am confident that that they are valid as they work fine when run by both podman and docker.

And I'm confident Aquasecurity can pull these images and perform these tests as they maintain an Iron Bank image for Trivy: https://ironbank.dso.mil/repomap/details;registry1Path=opensource%252Faquasec%252Ftrivy

Desired Behavior

The image misconfiguration scan should work as well for Iron Bank images as it does for other images.

Actual Behavior

The image misconfiguration scan either fails entirely or reports false findings .

Reproduction Steps

1. `trivy image --scanners misconfig --image-config-scanners misconfig registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.6`

or

1. trivy image --scanners misconfig --image-config-scanners misconfig registry1.dso.mil/ironbank/opensource/aquasec/trivy:0.66.0

Target

Container Image

Scanner

Misconfiguration

Output Format

None

Mode

Standalone

Debug Output

$ trivy image --scanners misconfig --image-config-scanners misconfig registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.6

2025-09-15T11:00:33-04:00	DEBUG	No plugins loaded
2025-09-15T11:00:33-04:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-09-15T11:00:33-04:00	DEBUG	Cache dir	dir="/home/candrews/.cache/trivy"
2025-09-15T11:00:33-04:00	DEBUG	Cache dir	dir="/home/candrews/.cache/trivy"
2025-09-15T11:00:33-04:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-09-15T11:00:33-04:00	DEBUG	Ignore statuses	statuses=[]
2025-09-15T11:00:33-04:00	INFO	[image] Container image config scanners	scanners=[misconfig]
2025-09-15T11:00:33-04:00	INFO	[misconfig] Misconfiguration scanning is enabled
2025-09-15T11:00:33-04:00	DEBUG	[misconfig] Checks successfully loaded from disk
2025-09-15T11:00:33-04:00	DEBUG	[notification] Running version check
2025-09-15T11:00:33-04:00	DEBUG	[notification] Version check completed	latest_version="0.66.0"
2025-09-15T11:00:33-04:00	DEBUG	[rego] Overriding filesystem for checks
2025-09-15T11:00:33-04:00	DEBUG	[rego] Embedded libraries are loaded	count=17
2025-09-15T11:00:33-04:00	DEBUG	[rego] Embedded checks are loaded	count=519
2025-09-15T11:00:33-04:00	DEBUG	[rego] Checks from disk are loaded	count=536
2025-09-15T11:00:33-04:00	DEBUG	[rego] Overriding filesystem for data
2025-09-15T11:00:34-04:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-09-15T11:00:34-04:00	DEBUG	Initializing scan cache...	type="fs"
2025-09-15T11:00:35-04:00	DEBUG	[image] Image found	image="registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.6" source="remote"
2025-09-15T11:00:35-04:00	DEBUG	Created process-specific temp directory	path="/tmp/trivy-1246330"
2025-09-15T11:00:36-04:00	DEBUG	[image] Detected image ID	image_id="sha256:76815965a24e2dea28a9d5556948024a6763ddc32505db1222d68c748cfdddbe"
2025-09-15T11:00:36-04:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:778d8c610941586099cac6c507cad2d1156b71b2bb54c42cebedf8808c68edb9 sha256:22d5984f0ecf335dc100a8cd8331921ae1a8c67eb7cbf881707c19e8b0e12f24]
2025-09-15T11:00:36-04:00	DEBUG	[image] Detected base layers	diff_ids=[]
2025-09-15T11:00:36-04:00	INFO	Detected config files	num=1
2025-09-15T11:00:36-04:00	DEBUG	Scanned config file	file_path="registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.6"
2025-09-15T11:00:36-04:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-09-15T11:00:36-04:00	DEBUG	[vex] VEX filtering is disabled

Report Summary

┌────────────────────────────────────────────────────────┬────────────┬───────────────────┐
│                         Target                         │    Type    │ Misconfigurations │
├────────────────────────────────────────────────────────┼────────────┼───────────────────┤
│ registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.6 │ dockerfile │         5         │
└────────────────────────────────────────────────────────┴────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.6 (dockerfile)

Tests: 28 (SUCCESSES: 23, FAILURES: 5)
Failures: 5 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 3)

AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


AVD-DS-0011 (CRITICAL): Slash is expected at the end of COPY command argument '|clamp-mtime=1755780386'
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
When a COPY command has more than two arguments, the last one should end with a slash.

See https://avd.aquasec.com/misconfig/ds011
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.6:28
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  28 [ COPY dir:076f7c662474d43535f47943e13b40d0cae8e9a9c28bd79ed8324810fe9734e7 /dsop-fix/     |clamp-mtime=1755780386
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


AVD-DS-0011 (CRITICAL): Slash is expected at the end of COPY command argument '|clamp-mtime=1755780386'
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
When a COPY command has more than two arguments, the last one should end with a slash.

See https://avd.aquasec.com/misconfig/ds011
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.6:29
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  29 [ COPY file:47b0625ed5b30ad57f039c03648877de54de23b1b0295a90b4329ce15826aa6e /etc/     |clamp-mtime=1755780386
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


AVD-DS-0011 (CRITICAL): Slash is expected at the end of COPY command argument '|clamp-mtime=1755780386'
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
When a COPY command has more than two arguments, the last one should end with a slash.

See https://avd.aquasec.com/misconfig/ds011
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.6:30
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  30 [ COPY multi:a32f0e456b63435a183ac505a75c9c25b73b640a274241d204b0029bea21027e in /etc/pki/ca-trust/source/anchors/     |clamp-mtime=1755780386
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


AVD-DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds026
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


2025-09-15T11:00:36-04:00	DEBUG	Cleaning up temp directory	path="/tmp/trivy-1246330"

$ trivy image --scanners misconfig --image-config-scanners misconfig registry1.dso.mil/ironbank/opensource/aquasec/trivy:0.66.0
2025-09-15T11:04:03-04:00	INFO	[image] Container image config scanners	scanners=[misconfig]
2025-09-15T11:04:03-04:00	INFO	[misconfig] Misconfiguration scanning is enabled
2025-09-15T11:04:26-04:00	ERROR	[dockerfile scanner] Failed to parse file	file_path="Dockerfile" err="parse dockerfile instruction: Unknown type \"NONE|CLAMP-MTIME=1756905379\" in HEALTHCHECK (try CMD)"
2025-09-15T11:04:27-04:00	INFO	Detected config files	num=0
2025-09-15T11:04:27-04:00	WARN	[report] Supported files for scanner(s) not found.	scanners=[misconfig]

Report Summary

┌────────┬──────┬───────────────────┐
│ Target │ Type │ Misconfigurations │
├────────┼──────┼───────────────────┤
│   -    │  -   │         -         │
└────────┴──────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

Operating System

Linux

Version

$ trivy --version
Version: 0.66.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-03-04 12:19:53.6789312 +0000 UTC
  NextUpdate: 2025-03-05 12:19:53.67893096 +0000 UTC
  DownloadedAt: 2025-03-04 16:13:09.733408284 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-02-14 02:24:51.921228254 +0000 UTC
  NextUpdate: 2025-02-17 02:24:51.921228094 +0000 UTC
  DownloadedAt: 2025-02-24 20:15:07.116719167 +0000 UTC
Check Bundle:
  Digest: sha256:a471e90b7c7335e914ec9075b74cf8f65e4c91e6cecfa7e39c587382808d2684
  DownloadedAt: 2025-09-15 14:17:42.443579072 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[simar7]

@nikpivkin can you take a look?

[nikpivkin]

Hi @candrews ! Thanks for the report.

I don't have access to Iron Bank images, but I reproduced this locally.

[nikpivkin]

Track #9485