Skip to content

bug(misconf): Dockerfile scanner fails when image history contains build metadata #9485

Description

@nikpivkin

Dockerfile scanner fails or produces incorrect results if the image history contains build metadata (tokens starting with |).
These metadata are added by builders (Buildah, BuildKit, etc.). Currently, only inheritLabels metadata is removed, so other metadata (e.g., timestamp-related |force-mtime) can cause parsing errors.

Steps to reproduce:

  1. Create hello.txt and Dockerfile:
FROM alpine:3.20
COPY hello.txt /app/
HEALTHCHECK NONE
  1. Build the image using Buildah:
docker run --rm -it \
  --privileged \
  --security-opt seccomp=unconfined \
  -v /var/lib/containers:/var/lib/containers \
  -v $(pwd):/workspace \
  quay.io/buildah/stable:latest

buildah build -t test --timestamp 10 /workspace/

buildah push test docker-archive:/workspace/test.tar

---

docker load < test.tar
  1. Inspect the history:
docker history localhost/test --no-trunc | grep mtime

Example output:

sha256:ebfd8715e8726ba767c3146e68b528c05ae4fc075e58d383af31935607b5b173   N/A            /bin/sh -c #(nop) HEALTHCHECK NONE|force-mtime=10                                                                            5B        
<missing>                                                                 N/A            /bin/sh -c #(nop) COPY file:9bd7772ff507fb35bc1645a3d18c2fdf1903c61f847f389e6089360f08ca8ef4 in /app/     |force-mtime=10    0B        FROM docker.io/library/alpine:3.20
  1. Run Trivy:
trivy clean --scan-cache
trivy image --scanners misconfig --image-config-scanners misconfig --scanners "" localhost/test

Result:

2025-09-16T18:42:40+06:00       INFO    [image] Container image config scanners scanners=[misconfig]
2025-09-16T18:42:40+06:00       INFO    [misconfig] Misconfiguration scanning is enabled
2025-09-16T18:42:40+06:00       ERROR   [dockerfile scanner] Failed to parse file       file_path="Dockerfile" err="parse dockerfile instruction: Unknown type \"NONE|FORCE-MTIME=10\" in HEALTHCHECK (try CMD)"
2025-09-16T18:42:40+06:00       INFO    Detected config files   num=0
2025-09-16T18:42:40+06:00       WARN    [report] Supported files for scanner(s) not found.      scanners=[misconfig]

Report Summary

┌────────┬──────┬───────────────────┐
│ Target │ Type │ Misconfigurations │
├────────┼──────┼───────────────────┤
│   -    │  -   │         -         │
└────────┴──────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

Example of history with multiple metadata labels:

sha256:3c38c308a82e9f7e92ecbd093251640169b85a6d0295162151ec2f575bbf8ea6   N/A            /bin/sh -c #(nop) HEALTHCHECK NONE|unsetLabel=true|inheritLabels=false|force-mtime=10

Discussed in #9484

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.scan/misconfigurationIssues relating to misconfiguration scanning

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions