fix(container): handle Grype source-scheme prefix collisions in image refs#115
Merged
eFAILution merged 1 commit intofeat/argus-portabilityfrom May 5, 2026
Merged
Conversation
… refs
Background
- User config: ``image: docker:argus-scan, dockerfile: docker/Dockerfile,
context: .``
- Argus's builder correctly runs ``docker build --tag docker:argus-scan
--file docker/Dockerfile .`` and tags the image locally.
- Grype's CLI then mis-parses ``docker:argus-scan``: ``docker:`` is a
reserved Grype source-scheme prefix (alongside ``podman:``,
``registry:``, ``dir:``, ``sbom:``, ``oci-archive:``, ``oci-dir:``,
``singularity:``, ``attestation:``). Grype reads the colon as the
scheme separator, looks for an image named ``argus-scan`` in the
docker daemon, and fails — the user's locally-built image
``docker:argus-scan`` (image ``docker``, tag ``argus-scan``) is
never resolved.
- Trivy doesn't have this ambiguity (positional arg, no scheme
prefixes), so the same target works under Trivy.
Two-pronged fix
1. Config-load warning. ``warn_on_grype_prefix_collision`` checks
each image ref against the reserved-prefix list at parse time
and logs a remediation message ("rename to e.g. ``argus-app:dev``")
before the Docker build runs — saves the user a wasted build
cycle. Non-fatal so Trivy-only or build-only workflows aren't
blocked.
2. Runtime escape in ``_run_grype``. When ``local=True``, the
user's ref is prefixed with ``docker:`` so Grype's parser sees
an explicit scheme regardless of what the user named the image:
``docker:argus-scan`` → ``docker:docker:argus-scan`` (scheme
``docker``, identifier ``docker:argus-scan``)
``myapp:dev`` → ``docker:myapp:dev`` (scheme
``docker``, identifier ``myapp:dev``)
For remote (registry) scans we leave the ref untouched — that
path was working before, and forcing the daemon source for an
image that doesn't exist locally would break it.
Behavior preserved
- Trivy invocation unchanged.
- Healthy Grype scans (clean ref, ``local=True`` or ``local=False``)
resolve identically; the new prefix is a no-op for daemon-resident
images.
Tests (+8)
- ``TestGrypePrefixCollisionWarning`` (5): warning fires for each
documented prefix, doesn't fire for clean refs, surfaces during
``parse_container_config``, defensive on non-string input,
message includes a rename suggestion.
- ``TestRunGrypeLocalDaemonScheme`` (3): local target gets the
``docker:`` prefix uniformly (collision case AND clean-ref case),
remote target does not.
Validation
- Full SDK suite: 1459 passed (+8), 8 skipped.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Contributor
🔒 Argus Container Security ScanBranch: 📊 Combined Findings Summary
Scanned: 4 containers | Build Failures: 0 📦 Container Breakdown
🔍 Detailed Findings by Container🚨 cli - 28 vulnerabilities (22 unique)Image: Combined (Deduplicated)
🔷 Trivy Scanner (28 findings, 22 unique)
⚓ Grype Scanner (0 findings, 0 unique)✅ No vulnerabilities detected by Grype 🟡 scanner-bandit - 1 vulnerabilities (1 unique)Image: Combined (Deduplicated)
🔷 Trivy Scanner (1 findings, 1 unique)
⚓ Grype Scanner (0 findings, 0 unique)✅ No vulnerabilities detected by Grype
|
| 🚨 Critical | 🟡 Medium | 🔵 Low | Total | Unique | |
|---|---|---|---|---|---|
| 0 | 7 | 41 | 63 | 113 | 49 |
🔷 Trivy Scanner (113 findings, 48 unique)
| CVE | Severity | Package | Version | Fixed |
|---|---|---|---|---|
| CVE-2026-4878 | libcap2 | 1:2.75-10+b8 | N/A | |
| CVE-2025-69720 | libncursesw6 | 6.5+20250216-2 | N/A | |
| CVE-2026-29111 | libsystemd0 | 257.9-1~deb13u1 | N/A | |
| CVE-2025-69720 | libtinfo6 | 6.5+20250216-2 | N/A | |
| CVE-2026-29111 | libudev1 | 257.9-1~deb13u1 | N/A | |
| CVE-2025-69720 | ncurses-base | 6.5+20250216-2 | N/A | |
| CVE-2025-69720 | ncurses-bin | 6.5+20250216-2 | N/A | |
| CVE-2026-27456 | 🟡 MEDIUM | bsdutils | 1:2.41-5 | N/A |
| CVE-2026-3184 | 🟡 MEDIUM | bsdutils | 1:2.41-5 | N/A |
| CVE-2026-27456 | 🟡 MEDIUM | libblkid1 | 2.41-5 | N/A |
| CVE-2026-3184 | 🟡 MEDIUM | libblkid1 | 2.41-5 | N/A |
| CVE-2026-4046 | 🟡 MEDIUM | libc-bin | 2.41-12+deb13u2 | N/A |
| CVE-2026-4437 | 🟡 MEDIUM | libc-bin | 2.41-12+deb13u2 | N/A |
| CVE-2026-4438 | 🟡 MEDIUM | libc-bin | 2.41-12+deb13u2 | N/A |
| CVE-2026-5435 | 🟡 MEDIUM | libc-bin | 2.41-12+deb13u2 | N/A |
| CVE-2026-5450 | 🟡 MEDIUM | libc-bin | 2.41-12+deb13u2 | N/A |
| CVE-2026-5928 | 🟡 MEDIUM | libc-bin | 2.41-12+deb13u2 | N/A |
| CVE-2026-4046 | 🟡 MEDIUM | libc6 | 2.41-12+deb13u2 | N/A |
| CVE-2026-4437 | 🟡 MEDIUM | libc6 | 2.41-12+deb13u2 | N/A |
| CVE-2026-4438 | 🟡 MEDIUM | libc6 | 2.41-12+deb13u2 | N/A |
| CVE-2026-5435 | 🟡 MEDIUM | libc6 | 2.41-12+deb13u2 | N/A |
| CVE-2026-5450 | 🟡 MEDIUM | libc6 | 2.41-12+deb13u2 | N/A |
| CVE-2026-5928 | 🟡 MEDIUM | libc6 | 2.41-12+deb13u2 | N/A |
| CVE-2026-27456 | 🟡 MEDIUM | liblastlog2-2 | 2.41-5 | N/A |
| CVE-2026-3184 | 🟡 MEDIUM | liblastlog2-2 | 2.41-5 | N/A |
| CVE-2026-34743 | 🟡 MEDIUM | liblzma5 | 5.8.1-1 | N/A |
| CVE-2026-27456 | 🟡 MEDIUM | libmount1 | 2.41-5 | N/A |
| CVE-2026-3184 | 🟡 MEDIUM | libmount1 | 2.41-5 | N/A |
| CVE-2026-27456 | 🟡 MEDIUM | libsmartcols1 | 2.41-5 | N/A |
| CVE-2026-3184 | 🟡 MEDIUM | libsmartcols1 | 2.41-5 | N/A |
| CVE-2026-40225 | 🟡 MEDIUM | libsystemd0 | 257.9-1~deb13u1 | N/A |
| CVE-2026-40226 | 🟡 MEDIUM | libsystemd0 | 257.9-1~deb13u1 | N/A |
| CVE-2026-4105 | 🟡 MEDIUM | libsystemd0 | 257.9-1~deb13u1 | N/A |
| CVE-2026-40225 | 🟡 MEDIUM | libudev1 | 257.9-1~deb13u1 | N/A |
| CVE-2026-40226 | 🟡 MEDIUM | libudev1 | 257.9-1~deb13u1 | N/A |
| CVE-2026-4105 | 🟡 MEDIUM | libudev1 | 257.9-1~deb13u1 | N/A |
| CVE-2026-27456 | 🟡 MEDIUM | libuuid1 | 2.41-5 | N/A |
| CVE-2026-3184 | 🟡 MEDIUM | libuuid1 | 2.41-5 | N/A |
| CVE-2026-27456 | 🟡 MEDIUM | login | 1:4.16.0-2+really2.41-5 | N/A |
| CVE-2026-3184 | 🟡 MEDIUM | login | 1:4.16.0-2+really2.41-5 | N/A |
| CVE-2026-27456 | 🟡 MEDIUM | mount | 2.41-5 | N/A |
| CVE-2026-3184 | 🟡 MEDIUM | mount | 2.41-5 | N/A |
| CVE-2026-5958 | 🟡 MEDIUM | sed | 4.9-2 | N/A |
| CVE-2026-5704 | 🟡 MEDIUM | tar | 1.35+dfsg-3.1 | N/A |
| CVE-2026-27456 | 🟡 MEDIUM | util-linux | 2.41-5 | N/A |
| CVE-2026-3184 | 🟡 MEDIUM | util-linux | 2.41-5 | N/A |
| CVE-2026-27171 | 🟡 MEDIUM | zlib1g | 1:1.3.dfsg+really1.3.1-1+b1 | N/A |
| CVE-2026-3219 | 🟡 MEDIUM | pip | 26.0.1 | N/A |
| CVE-2011-3374 | 🔵 LOW | apt | 3.0.3 | N/A |
| TEMP-0841856-B18BAF | 🔵 LOW | bash | 5.2.37-2+b8 | N/A |
...and 63 more
⚓ Grype Scanner (0 findings, 0 unique)
✅ No vulnerabilities detected by Grype
⚠️ scanner-supply-chain - 8 vulnerabilities (8 unique)
Image: ghcr.io/huntridge-labs/argus/scanner-supply-chain:c7089b8b1f4ca0a2215777b728ce93316245b7c2
Combined (Deduplicated)
| 🚨 Critical | 🟡 Medium | 🔵 Low | Total | Unique | |
|---|---|---|---|---|---|
| 0 | 4 | 4 | 0 | 8 | 8 |
🔷 Trivy Scanner (8 findings, 8 unique)
| CVE | Severity | Package | Version | Fixed |
|---|---|---|---|---|
| CVE-2026-32280 | stdlib | v1.26.1 | 1.25.9, 1.26.2 | |
| CVE-2026-32281 | stdlib | v1.26.1 | 1.25.9, 1.26.2 | |
| CVE-2026-32283 | stdlib | v1.26.1 | 1.25.9, 1.26.2 | |
| CVE-2026-33810 | stdlib | v1.26.1 | 1.26.2 | |
| CVE-2026-3219 | 🟡 MEDIUM | pip | 26.0.1 | N/A |
| CVE-2026-32282 | 🟡 MEDIUM | stdlib | v1.26.1 | 1.25.9, 1.26.2 |
| CVE-2026-32288 | 🟡 MEDIUM | stdlib | v1.26.1 | 1.25.9, 1.26.2 |
| CVE-2026-32289 | 🟡 MEDIUM | stdlib | v1.26.1 | 1.25.9, 1.26.2 |
⚓ Grype Scanner (0 findings, 0 unique)
✅ No vulnerabilities detected by Grype
Generated by Argus
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fix(container): handle Grype source-scheme prefix collisions in image refs
Background
image: docker:argus-scan, dockerfile: docker/Dockerfile, context: .docker build --tag docker:argus-scan --file docker/Dockerfile .and tags the image locally.docker:argus-scan:docker:is areserved Grype source-scheme prefix (alongside
podman:,registry:,dir:,sbom:,oci-archive:,oci-dir:,singularity:,attestation:). Grype reads the colon as thescheme separator, looks for an image named
argus-scanin thedocker daemon, and fails — the user's locally-built image
docker:argus-scan(imagedocker, tagargus-scan) isnever resolved.
prefixes), so the same target works under Trivy.
Two-pronged fix
warn_on_grype_prefix_collisioncheckseach image ref against the reserved-prefix list at parse time
and logs a remediation message ("rename to e.g.
argus-app:dev")before the Docker build runs — saves the user a wasted build
cycle. Non-fatal so Trivy-only or build-only workflows aren't
blocked.
_run_grype. Whenlocal=True, theuser's ref is prefixed with
docker:so Grype's parser seesan explicit scheme regardless of what the user named the image:
docker:argus-scan→docker:docker:argus-scan(schemedocker, identifierdocker:argus-scan)myapp:dev→docker:myapp:dev(schemedocker, identifiermyapp:dev)For remote (registry) scans we leave the ref untouched — that
path was working before, and forcing the daemon source for an
image that doesn't exist locally would break it.
Behavior preserved
local=Trueorlocal=False)resolve identically; the new prefix is a no-op for daemon-resident
images.
Tests (+8)
TestGrypePrefixCollisionWarning(5): warning fires for eachdocumented prefix, doesn't fire for clean refs, surfaces during
parse_container_config, defensive on non-string input,message includes a rename suggestion.
TestRunGrypeLocalDaemonScheme(3): local target gets thedocker:prefix uniformly (collision case AND clean-ref case),remote target does not.
Validation