github-actionstrivy

Scan private GitHub package with Trivy

I'm trying to use the Trivy GitHub Action to scan a Docker image privately stored in GitHub packages.

My action looks like

jobs:
  security:
    runs-on: ubuntu-24.04

    permissions:
      contents: read
      packages: read

    steps:          
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@0.32.0
        with:
          image-ref: ghcr.io/${{ github.repository }}:${{ github.ref_name }}
          format: github
          ignore-unfixed: false
          github-pat: ${{ secrets.GITHUB_TOKEN }}

But I get

2025-07-09T13:11:44Z    FATAL   Fatal error run error: image scan error: scan error: unable to initialize a scan service: unable to initialize an image scan service: unable to find the specified image "ghcr.io/org/repo:2025.12" in ["docker" "containerd" "podman" "remote"]: 4 errors occurred:
    * docker error: unable to inspect the image (ghcr.io/org/repo:2025.12): Error response from daemon: No such image: ghcr.io/org/repo:2025.12
    * containerd error: failed to list images from containerd client: connection error: desc = "transport: Error while dialing: dial unix /run/containerd/containerd.sock: connect: permission denied"
    * podman error: unable to initialize Podman client: no podman socket found: stat /run/user/1001/podman/podman.sock: no such file or directory
    * remote error: GET https://ghcr.io/token?scope=repository%3Aorg%2Frepo%3Apull&service=ghcr.io: UNAUTHORIZED: authentication required
Error: Process completed with exit code 1.

Based on the README, I also tried

    steps:          
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@0.32.0
        with:
          image-ref: ghcr.io/${{ github.repository }}:${{ github.ref_name }}
          format: github
          ignore-unfixed: false 
        env:
          TRIVY_USERNAME: ${{ github.repository_owner }}
          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}

But I get the same outcome.

How can I scan my image?

Solution

  • You need to log in to `ghcr.io` before running Trivy and also pull the image manually. Here's the working solution:

    jobs:
  security-scan:
    runs-on: ubuntu-latest

    permissions:
      contents: read
      packages: read
      security-events: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Pull Docker image
        run: docker pull ghcr.io/${{ github.repository }}:${{ github.ref_name }}

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@0.32.0
        with:
          image-ref: ghcr.io/${{ github.repository }}:${{ github.ref_name }}
          format: github
          ignore-unfixed: false
          github-pat: ${{ secrets.GITHUB_TOKEN }}

    The key is: without docker login and docker pull, Trivy can't access private images in GitHub Packages.