Summary
The Container Image workflow (container.yml) Trivy scan job has never succeeded - all 11 runs since the workflow was introduced have failed.
Error
FATAL: unable to initialize container image: failed to parse the image name:
could not parse reference: ghcr.io/complytime/complypack:
Followed by:
Path does not exist: trivy-image-scan-f4d057ff8f0b463a9382d68e0149acfa928922c1-11.sarif
First failing run (June 16): https://github.com/complytime/complypack/actions/runs/27620218487
Latest failing run: https://github.com/complytime/complypack/actions/runs/27829332309
Root Cause
The scan job in container.yml constructs the image reference as:
image_ref: ${{ needs.push.outputs.image }}:${{ needs.push.outputs.tag }}
However, the reusable workflow reusable_publish_ghcr.yml does not export a tag output. Its available outputs are:
| Output |
Description |
Example |
image |
Image name without tag |
ghcr.io/complytime/complypack |
image_ref |
Full reference with tag |
ghcr.io/complytime/complypack:sha-abc123 |
digest |
Image digest |
sha256:abc... |
tags |
Multi-line string of all tags |
sha-abc123\nlatest |
Since needs.push.outputs.tag resolves to an empty string, the constructed reference becomes ghcr.io/complytime/complypack: (trailing colon, no tag), which is an invalid image reference that Trivy cannot parse.
Because Trivy exits before producing the SARIF report, the subsequent Upload SARIF step also fails when it cannot find the expected .sarif file.
Fix
Use the image_ref output directly instead of manually constructing the reference:
scan:
needs: push
...
with:
-
image_ref: ${{ needs.push.outputs.image }}:${{ needs.push.outputs.tag }}
-
image_ref: ${{ needs.push.outputs.image_ref }}
image_digest: ${{ needs.push.outputs.digest }}
Working Example
complytime-collector-components uses the correct output in its container pipeline:
image_ref: ${{ needs.build-beacon-distro.outputs.image_ref }}
Impact
- The push and sign jobs succeed, so container images are being published and signed.
- Only the vulnerability scan is broken, meaning images are not being scanned for CVEs before or after signing.
- This has been broken since the workflow was introduced and has never produced a successful scan.
Summary
The Container Image workflow (container.yml) Trivy scan job has never succeeded - all 11 runs since the workflow was introduced have failed.
Error
FATAL: unable to initialize container image: failed to parse the image name:
could not parse reference: ghcr.io/complytime/complypack:
Followed by:
Path does not exist: trivy-image-scan-f4d057ff8f0b463a9382d68e0149acfa928922c1-11.sarif
First failing run (June 16): https://github.com/complytime/complypack/actions/runs/27620218487
Latest failing run: https://github.com/complytime/complypack/actions/runs/27829332309
Root Cause
The scan job in container.yml constructs the image reference as:
image_ref: ${{ needs.push.outputs.image }}:${{ needs.push.outputs.tag }}
However, the reusable workflow reusable_publish_ghcr.yml does not export a tag output. Its available outputs are:
imageghcr.io/complytime/complypackimage_refghcr.io/complytime/complypack:sha-abc123digestsha256:abc...tagssha-abc123\nlatestSince needs.push.outputs.tag resolves to an empty string, the constructed reference becomes ghcr.io/complytime/complypack: (trailing colon, no tag), which is an invalid image reference that Trivy cannot parse.
Because Trivy exits before producing the SARIF report, the subsequent Upload SARIF step also fails when it cannot find the expected .sarif file.
Fix
Use the image_ref output directly instead of manually constructing the reference:
scan:
needs: push
...
with:
Working Example
complytime-collector-components uses the correct output in its container pipeline:
image_ref: ${{ needs.build-beacon-distro.outputs.image_ref }}
Impact