You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Proposing here that trivy add support for muti-arch containers containing application/vnd.oci.image.index.v1+json types, listing multiple items in the manifests array. This is a standard index, that can be tagged for a single app that can run on multiple architectures. At runtime, clients will pull the correct architecture. But it could be used to scan all architectures for the index and combined into a single report.
When scanning a multi-arch TAR file today, trivy fails. Providing --platform as an option to trivy image produces the same error. (note: I tried aarch64 and arm64 formats)
% trivy image --input test.tar --platform aarch64
2024-10-31T20:42:30-04:00 INFO [vuln] Vulnerability scanning is enabled
2024-10-31T20:42:30-04:00 INFO [secret] Secret scanning is enabled
2024-10-31T20:42:30-04:00 INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-31T20:42:30-04:00 INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-31T20:42:30-04:00 FATAL Fatal error image scan error: scan error: unable to initialize a scanner: unable to initialize the archive scanner: 2 errors occurred:
* unable to open test.tar as a Docker image: tarball must contain only a single image to be used with tarball.Image
* unable to open test.tar as an OCI Image: stat test.tar/index.json: not a directory
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Description
Proposing here that trivy add support for muti-arch containers containing
application/vnd.oci.image.index.v1+jsontypes, listing multiple items in themanifestsarray. This is a standard index, that can be tagged for a single app that can run on multiple architectures. At runtime, clients will pull the correct architecture. But it could be used to scan all architectures for the index and combined into a single report.Example index:
{ "schemaVersion": 2, "mediaType": "application/vnd.oci.image.index.v1+json", "manifests": [ { "mediaType": "application/vnd.oci.image.manifest.v1+json", "size": 479, "digest": "sha256:79d83d0a795f541712e512e4c2e6dfd033d97d88b509d20edf670d138aba59ca", "platform": { "architecture": "amd64", "os": "linux" } }, { "mediaType": "application/vnd.oci.image.manifest.v1+json", "size": 479, "digest": "sha256:32cb0987f1baf24ce74e75c94ca49867252508c7c308bec2b4b473237ce3d3ff", "platform": { "architecture": "arm64", "os": "linux" } } ], "annotations": { "org.opencontainers.image.created": "2024-10-30T20:07:30Z", "org.opencontainers.image.revision": "68757c1e4818c1f9291ba0b9022a7e9a44c1fa77", "org.opencontainers.image.source": "git+ssh://github.com/myorg/myapp.git" } }When scanning a multi-arch TAR file today, trivy fails. Providing
--platformas an option totrivy imageproduces the same error. (note: I triedaarch64andarm64formats)Target
Container Image
Scanner
None
Beta Was this translation helpful? Give feedback.
All reactions