-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Running action with multiple image input #16
Comments
Thanks for the report, yes this is a bug. In terms of a fix, how would you like this to behave? Should we pick the first tag, the last tag, just error unless you configure it? Open to suggestions, and feel free to tell us what you're trying to do so we can understand how this should behave. |
I used the example to point out the problem, my real use case is that I use docker bake that produces multiple images (using the docker/bake-action), and I would like to run scout for all of them. I'm fine with having to do some filtering of the image list to remove duplicates, for cases where it's the same image, just with multiple tags, prior to running the action. |
When you say multiple images do you mean a multi-arch image so all the images have the same tag but different architectures or multiple differently tagged images (potentially from different repositories)? Are you primarily using it to push information (e.g. registering these images have been deployed somewhere) or to fetch information (e.g. display the current vulnerabilities)? I guess if we're going to support multiple images for output commands then we'll need to figure out the output format - would you prefer all results for all images in one big comment? with each image as a separate collapsible block (for example)? |
Mainly multiple differently tagged images (but all from same repos if that makes a difference). We do have instances of the other type as well (different architectures) but that's not a priority.
For fetching, we want our builds to fail if there's a fixable CVE in our code or any of the images we're based on.
The important part is that it's easy to understand which image has a vulnerability. I'm fine with a comment for each, but I realize it might become noisy. |
I've encountered this issue as well, but in a simpler scenario where we're using Here’s a reference workflow run: And here's the actual input being used (from this repo These images result in the same artifact; the tags are just for easy reference. |
I'm using the provided example here: https://github.com/docker/scout-action#build-an-image-push-and-compare to run docker scout, but if the output from
metadata-action
steps.meta.outputs.tags
contains multiple tags it's output as a multi-line string and this leads to the scout action giving an error:Is this supposed to work?
The text was updated successfully, but these errors were encountered: