Dockerfile scanner fails or produces incorrect results if the image history contains build metadata (tokens starting with |).
These metadata are added by builders (Buildah, BuildKit, etc.). Currently, only inheritLabels metadata is removed, so other metadata (e.g., timestamp-related |force-mtime) can cause parsing errors.
Steps to reproduce:
- Create
hello.txt and Dockerfile:
FROM alpine:3.20
COPY hello.txt /app/
HEALTHCHECK NONE
- Build the image using Buildah:
docker run --rm -it \
--privileged \
--security-opt seccomp=unconfined \
-v /var/lib/containers:/var/lib/containers \
-v $(pwd):/workspace \
quay.io/buildah/stable:latest
buildah build -t test --timestamp 10 /workspace/
buildah push test docker-archive:/workspace/test.tar
---
docker load < test.tar
- Inspect the history:
docker history localhost/test --no-trunc | grep mtime
Example output:
sha256:ebfd8715e8726ba767c3146e68b528c05ae4fc075e58d383af31935607b5b173 N/A /bin/sh -c #(nop) HEALTHCHECK NONE|force-mtime=10 5B
<missing> N/A /bin/sh -c #(nop) COPY file:9bd7772ff507fb35bc1645a3d18c2fdf1903c61f847f389e6089360f08ca8ef4 in /app/ |force-mtime=10 0B FROM docker.io/library/alpine:3.20
- Run Trivy:
trivy clean --scan-cache
trivy image --scanners misconfig --image-config-scanners misconfig --scanners "" localhost/test
Result:
2025-09-16T18:42:40+06:00 INFO [image] Container image config scanners scanners=[misconfig]
2025-09-16T18:42:40+06:00 INFO [misconfig] Misconfiguration scanning is enabled
2025-09-16T18:42:40+06:00 ERROR [dockerfile scanner] Failed to parse file file_path="Dockerfile" err="parse dockerfile instruction: Unknown type \"NONE|FORCE-MTIME=10\" in HEALTHCHECK (try CMD)"
2025-09-16T18:42:40+06:00 INFO Detected config files num=0
2025-09-16T18:42:40+06:00 WARN [report] Supported files for scanner(s) not found. scanners=[misconfig]
Report Summary
┌────────┬──────┬───────────────────┐
│ Target │ Type │ Misconfigurations │
├────────┼──────┼───────────────────┤
│ - │ - │ - │
└────────┴──────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
Example of history with multiple metadata labels:
sha256:3c38c308a82e9f7e92ecbd093251640169b85a6d0295162151ec2f575bbf8ea6 N/A /bin/sh -c #(nop) HEALTHCHECK NONE|unsetLabel=true|inheritLabels=false|force-mtime=10
Discussed in #9484
Dockerfile scanner fails or produces incorrect results if the image history contains build metadata (tokens starting with
|).These metadata are added by builders (Buildah, BuildKit, etc.). Currently, only
inheritLabelsmetadata is removed, so other metadata (e.g., timestamp-related |force-mtime) can cause parsing errors.Steps to reproduce:
hello.txtandDockerfile:Example output:
Result:
Example of history with multiple metadata labels:
sha256:3c38c308a82e9f7e92ecbd093251640169b85a6d0295162151ec2f575bbf8ea6 N/A /bin/sh -c #(nop) HEALTHCHECK NONE|unsetLabel=true|inheritLabels=false|force-mtime=10Discussed in #9484