Github Actions pipeline run for reference -> https://github.com/unixerius/proxmox-qdevice/actions/runs/21072965388/job/60607307451
The same issue occurs with Scout as integrated into Docker Hub -> https://hub.docker.com/repository/docker/unixerius/proxmox-qdevice/general
The containers that are being built are based off of Docker's DHI (docker hardened image) Debian Base image -> https://hub.docker.com/hardened-images/catalog/dhi/debian-base
The Docker Buildx instructions for my containers include the options for --sbom and --provenance mode=max. Both Buildx and Scout confirm that provenance information is included in the image.
Regardless, Docker Scout fails to recognise the base image.
Logs from the pipeline run:
Run docker/scout-action@v1
with:
command: quickview,cves
image: ghcr.io/***/proxmox-qdevice:bookworm
ignore-unchanged: true
only-severities: critical,high
github-token: ***
summary: true
format: json
write-comment: true
env:
registry: ***
image: proxmox-qdevice
quickview
✓ SBOM obtained from attestation, 135 packages found
✓ Provenance obtained from attestation
Error: image has no base image
Github Actions pipeline run for reference -> https://github.com/unixerius/proxmox-qdevice/actions/runs/21072965388/job/60607307451
The same issue occurs with Scout as integrated into Docker Hub -> https://hub.docker.com/repository/docker/unixerius/proxmox-qdevice/general
The containers that are being built are based off of Docker's DHI (docker hardened image) Debian Base image -> https://hub.docker.com/hardened-images/catalog/dhi/debian-base
The Docker Buildx instructions for my containers include the options for
--sbomand--provenance mode=max. Both Buildx and Scout confirm that provenance information is included in the image.Regardless, Docker Scout fails to recognise the base image.
Logs from the pipeline run: