Running action with multiple image input

[rickardgranberg]

I'm using the provided example here: https://github.com/docker/scout-action#build-an-image-push-and-compare to run docker scout, but if the output from metadata-action steps.meta.outputs.tags contains multiple tags it's output as a multi-line string and this leads to the scout action giving an error:

Error: could not get the image <image-name-redacted>:latest
  <image-name-redacted>:<some-version>: failed to parse reference <image-name-redacted>:latest
  <image-name-redacted>:<some-version>:

Is this supposed to work?

[mikeparker]

Thanks for the report, yes this is a bug.

In terms of a fix, how would you like this to behave? Should we pick the first tag, the last tag, just error unless you configure it? Open to suggestions, and feel free to tell us what you're trying to do so we can understand how this should behave.

[rickardgranberg]

I used the example to point out the problem, my real use case is that I use docker bake that produces multiple images (using the docker/bake-action), and I would like to run scout for all of them.
So, ideally, I'd like it to run it for all the images that are input to it.

I'm fine with having to do some filtering of the image list to remove duplicates, for cases where it's the same image, just with multiple tags, prior to running the action.

[mikeparker]

When you say multiple images do you mean a multi-arch image so all the images have the same tag but different architectures or multiple differently tagged images (potentially from different repositories)?

Are you primarily using it to push information (e.g. registering these images have been deployed somewhere) or to fetch information (e.g. display the current vulnerabilities)?

I guess if we're going to support multiple images for output commands then we'll need to figure out the output format - would you prefer all results for all images in one big comment? with each image as a separate collapsible block (for example)?

[rickardgranberg]

When you say multiple images do you mean a multi-arch image so all the images have the same tag but different architectures or multiple differently tagged images (potentially from different repositories)?

Mainly multiple differently tagged images (but all from same repos if that makes a difference). We do have instances of the other type as well (different architectures) but that's not a priority.

Are you primarily using it to push information (e.g. registering these images have been deployed somewhere) or to fetch information (e.g. display the current vulnerabilities)?

For fetching, we want our builds to fail if there's a fixable CVE in our code or any of the images we're based on.

I guess if we're going to support multiple images for output commands then we'll need to figure out the output format - would you prefer all results for all images in one big comment? with each image as a separate collapsible block (for example)?

The important part is that it's easy to understand which image has a vulnerability. I'm fine with a comment for each, but I realize it might become noisy.

[gustavovalverde]

I've encountered this issue as well, but in a simpler scenario where we're using docker/metadata-action, which tags the image with both the sha and PR ref (pr-#). So, there are always at least 2 tags.

Here’s a reference workflow run:
https://github.com/ZcashFoundation/zebra/actions/runs/10918188115/job/30303098526?pr=8871#step:5:113

And here's the actual input being used (from this repo README):

• https://github.com/ZcashFoundation/zebra/blob/5bf34774f31b59a8fb1d92e948d7218ca1b6b01f/.github/workflows/sub-build-docker-image.yml#L199

These images result in the same artifact; the tags are just for easy reference.