Skip to content

fix(ci): scan local image instead of pulling #215

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
JAORMX merged 1 commit into from
Nov 26, 2025
Merged

fix(ci): scan local image instead of pulling #215

JAORMX merged 1 commit into from
Nov 26, 2025

Conversation

@danbarr
Copy link
Contributor

@danbarr danbarr commented Nov 26, 2025

Problem

The Trivy scan was failing because it was trying to pull images from the remote registry (ghcr.io), which don't exist yet during the build process - especially for PRs where images aren't pushed.

Multi-platform Docker builds with Buildx don't load images into the local Docker daemon by design, causing Trivy to attempt a remote pull that fails with MANIFEST_UNKNOWN.

Solution

  • Add a dedicated single-platform build step that uses load: true to load the image into the local Docker daemon
  • Configure Trivy to scan the locally-loaded image using a local-scan: tag
  • Reuse cached layers from the multi-platform build for efficiency

This works for both PRs (where images aren't pushed) and main branch builds (where they are), since Trivy now always scans the locally-available image.

Fixes #214

@danbarr danbarr force-pushed the fix/trivy-scan-local-image branch from 0354e82 to 720eb99 Compare November 26, 2025 04:11
@danbarr danbarr requested a review from Copilot November 26, 2025 04:12
Copilot finished reviewing on behalf of danbarr November 26, 2025 04:14
Copilot AI reviewed Nov 26, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a Trivy security scanning failure in the CI pipeline by ensuring the scanner uses locally-built images instead of attempting to pull from the remote registry, which would fail for PRs where images aren't pushed.

Key Changes:

  • Added a dedicated single-platform build step that loads the image into the local Docker daemon
  • Updated Trivy scanner configuration to reference the locally-loaded image
  • Leveraged build cache from the multi-platform build for efficiency

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.

rdimitrov
rdimitrov approved these changes Nov 26, 2025
View reviewed changes
Copy link
Member

@rdimitrov rdimitrov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a small comment but lgtm 💯

@JAORMX JAORMX merged commit 7d7df6a into main Nov 26, 2025
8 checks passed
@JAORMX JAORMX deleted the fix/trivy-scan-local-image branch November 26, 2025 13:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@rdimitrov rdimitrov rdimitrov approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Trivy errors on some builds

4 participants

@danbarr @rdimitrov @JAORMX