Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Running action with multiple image input #16

Open
rickardgranberg opened this issue Oct 11, 2023 · 5 comments
Open

Running action with multiple image input #16

rickardgranberg opened this issue Oct 11, 2023 · 5 comments
Labels
enhancement New feature or request

Comments

@rickardgranberg
Copy link

I'm using the provided example here: https://github.com/docker/scout-action#build-an-image-push-and-compare to run docker scout, but if the output from metadata-action steps.meta.outputs.tags contains multiple tags it's output as a multi-line string and this leads to the scout action giving an error:

Error: could not get the image <image-name-redacted>:latest
  <image-name-redacted>:<some-version>: failed to parse reference <image-name-redacted>:latest
  <image-name-redacted>:<some-version>:

Is this supposed to work?

@mikeparker
Copy link
Contributor

Thanks for the report, yes this is a bug.

In terms of a fix, how would you like this to behave? Should we pick the first tag, the last tag, just error unless you configure it? Open to suggestions, and feel free to tell us what you're trying to do so we can understand how this should behave.

@rickardgranberg
Copy link
Author

I used the example to point out the problem, my real use case is that I use docker bake that produces multiple images (using the docker/bake-action), and I would like to run scout for all of them.
So, ideally, I'd like it to run it for all the images that are input to it.

I'm fine with having to do some filtering of the image list to remove duplicates, for cases where it's the same image, just with multiple tags, prior to running the action.

@mikeparker
Copy link
Contributor

When you say multiple images do you mean a multi-arch image so all the images have the same tag but different architectures or multiple differently tagged images (potentially from different repositories)?

Are you primarily using it to push information (e.g. registering these images have been deployed somewhere) or to fetch information (e.g. display the current vulnerabilities)?

I guess if we're going to support multiple images for output commands then we'll need to figure out the output format - would you prefer all results for all images in one big comment? with each image as a separate collapsible block (for example)?

@rickardgranberg
Copy link
Author

When you say multiple images do you mean a multi-arch image so all the images have the same tag but different architectures or multiple differently tagged images (potentially from different repositories)?

Mainly multiple differently tagged images (but all from same repos if that makes a difference). We do have instances of the other type as well (different architectures) but that's not a priority.

Are you primarily using it to push information (e.g. registering these images have been deployed somewhere) or to fetch information (e.g. display the current vulnerabilities)?

For fetching, we want our builds to fail if there's a fixable CVE in our code or any of the images we're based on.

I guess if we're going to support multiple images for output commands then we'll need to figure out the output format - would you prefer all results for all images in one big comment? with each image as a separate collapsible block (for example)?

The important part is that it's easy to understand which image has a vulnerability. I'm fine with a comment for each, but I realize it might become noisy.

@cdupuis cdupuis added the enhancement New feature or request label Feb 7, 2024
@gustavovalverde
Copy link

gustavovalverde commented Sep 18, 2024

I've encountered this issue as well, but in a simpler scenario where we're using docker/metadata-action, which tags the image with both the sha and PR ref (pr-#). So, there are always at least 2 tags.

Here’s a reference workflow run:
https://github.com/ZcashFoundation/zebra/actions/runs/10918188115/job/30303098526?pr=8871#step:5:113

And here's the actual input being used (from this repo README):

These images result in the same artifact; the tags are just for easy reference.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

4 participants