If i scan an image with its Manifest Digest, say alpine without pulling it locally - we don't see an issue in scanning it with Dockle.
# dockle --debug alpine@sha256:eddacbc7e24bf8799a4ed3cdcfa50d4b88a323695ad80f317b6629883b2c2a78
WARN - CIS-DI-0001: Create a user for the container
* Last user should not be root
INFO - CIS-DI-0005: Enable Content trust for Docker
* export DOCKER_CONTENT_TRUST=1 before docker pull/build
INFO - CIS-DI-0006: Add HEALTHCHECK instruction to the container image
* not found HEALTHCHECK statement
However, If we pull the same image with its Manifest Digest to the local environment - Dockle unable to scan the image with its Digest.
2024-08-08T05:10:15.556Z FATAL unable to initialize a image struct: failed to initialize source: failed to initialize: Manifest does not match provided manifest digest sha256:eddacbc7e24bf8799a4ed3cdcfa50d4b88a323695ad80f317b6629883b2c2a78
dockle 324bc02ae123
2024-08-08T05:10:23.543Z FATAL unable to initialize a image struct: failed to initialize source: reading manifest latest in docker.io/library/324bc02ae123: requested access to the resource is denied
**What did you expect to happen?**
Scan the image with its Manifest Digest just like how Dockle scans the images placed in the remote registry/repo.
**What happened instead?**
`2024-08-08T05:10:15.556Z FATAL unable to initialize a image struct: failed to initialize source: failed to initialize: Manifest does not match provided manifest digest sha256:eddacbc7e24bf8799a4ed3cdcfa50d4b88a323695ad80f317b6629883b2c2a78`
**Output of run with `-debug`:**
2024-08-08T05:31:28.280Z DEBUG There is no .dockleignore file
2024-08-08T05:31:28.280Z DEBUG Skipped update confirmation
2024-08-08T05:31:28.280Z DEBUG Start assessments...
2024-08-08T05:31:28.340Z FATAL unable to initialize a image struct:
github.com/goodwithtech/deckoder/extractor/docker.newDockerExtractor
/home/runner/go/pkg/mod/github.com/goodwithtech/deckoder@v0.0.5/extractor/docker/docker.go:73
failed to initialize source:
github.com/goodwithtech/deckoder/extractor/image.NewImage
/home/runner/go/pkg/mod/github.com/goodwithtech/deckoder@v0.0.5/extractor/image/image.go:86
failed to initialize:
github.com/goodwithtech/deckoder/extractor/image.newSource
/home/runner/go/pkg/mod/github.com/goodwithtech/deckoder@v0.0.5/extractor/image/image.go:118
Manifest does not match provided manifest digest sha256:eddacbc7e24bf8799a4ed3cdcfa50d4b88a323695ad80f317b6629883b2c2a78
Description
If i scan an image with its Manifest Digest, say alpine without pulling it locally - we don't see an issue in scanning it with Dockle.
However, If we pull the same image with its Manifest Digest to the local environment - Dockle unable to scan the image with its Digest.
docker image ls alpine
REPOSITORY TAG IMAGE ID CREATED SIZE alpine 324bc02ae123 2 weeks ago 7.8MB
dockle alpine@sha256:eddacbc7e24bf8799a4ed3cdcfa50d4b88a323695ad80f317b6629883b2c2a78
2024-08-08T05:10:15.556Z FATAL unable to initialize a image struct: failed to initialize source: failed to initialize: Manifest does not match provided manifest digest sha256:eddacbc7e24bf8799a4ed3cdcfa50d4b88a323695ad80f317b6629883b2c2a78
dockle 324bc02ae123
2024-08-08T05:10:23.543Z FATAL unable to initialize a image struct: failed to initialize source: reading manifest latest in docker.io/library/324bc02ae123: requested access to the resource is denied
dockle --debug alpine@sha256:eddacbc7e24bf8799a4ed3cdcfa50d4b88a323695ad80f317b6629883b2c2a78
2024-08-08T05:31:28.280Z DEBUG There is no .dockleignore file 2024-08-08T05:31:28.280Z DEBUG Skipped update confirmation 2024-08-08T05:31:28.280Z DEBUG Start assessments... 2024-08-08T05:31:28.340Z FATAL unable to initialize a image struct: github.com/goodwithtech/deckoder/extractor/docker.newDockerExtractor /home/runner/go/pkg/mod/github.com/goodwithtech/deckoder@v0.0.5/extractor/docker/docker.go:73
Output of
dockle -v
:Additional details (base image name, container registry info...):