I'm trying to use the Trivy GitHub Action to scan a Docker image privately stored in GitHub packages.
My action looks like
jobs:
security:
runs-on: ubuntu-24.04
permissions:
contents: read
packages: read
steps:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.32.0
with:
image-ref: ghcr.io/${{ github.repository }}:${{ github.ref_name }}
format: github
ignore-unfixed: false
github-pat: ${{ secrets.GITHUB_TOKEN }}
But I get
2025-07-09T13:11:44Z FATAL Fatal error run error: image scan error: scan error: unable to initialize a scan service: unable to initialize an image scan service: unable to find the specified image "ghcr.io/org/repo:2025.12" in ["docker" "containerd" "podman" "remote"]: 4 errors occurred:
* docker error: unable to inspect the image (ghcr.io/org/repo:2025.12): Error response from daemon: No such image: ghcr.io/org/repo:2025.12
* containerd error: failed to list images from containerd client: connection error: desc = "transport: Error while dialing: dial unix /run/containerd/containerd.sock: connect: permission denied"
* podman error: unable to initialize Podman client: no podman socket found: stat /run/user/1001/podman/podman.sock: no such file or directory
* remote error: GET https://ghcr.io/token?scope=repository%3Aorg%2Frepo%3Apull&service=ghcr.io: UNAUTHORIZED: authentication required
Error: Process completed with exit code 1.
Based on the README, I also tried
steps:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.32.0
with:
image-ref: ghcr.io/${{ github.repository }}:${{ github.ref_name }}
format: github
ignore-unfixed: false
env:
TRIVY_USERNAME: ${{ github.repository_owner }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
But I get the same outcome.
How can I scan my image?
You need to log in to `ghcr.io` before running Trivy and also pull the image manually. Here's the working solution:
jobs:
security-scan:
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Log in to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Pull Docker image
run: docker pull ghcr.io/${{ github.repository }}:${{ github.ref_name }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.32.0
with:
image-ref: ghcr.io/${{ github.repository }}:${{ github.ref_name }}
format: github
ignore-unfixed: false
github-pat: ${{ secrets.GITHUB_TOKEN }}
The key is: without docker login
and docker pull
, Trivy can't access private images in GitHub Packages.