github-actionstrivy

Scan private GitHub package with Trivy


I'm trying to use the Trivy GitHub Action to scan a Docker image privately stored in GitHub packages.

My action looks like

jobs:
  security:
    runs-on: ubuntu-24.04

    permissions:
      contents: read
      packages: read

    steps:          
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@0.32.0
        with:
          image-ref: ghcr.io/${{ github.repository }}:${{ github.ref_name }}
          format: github
          ignore-unfixed: false
          github-pat: ${{ secrets.GITHUB_TOKEN }} 

But I get

2025-07-09T13:11:44Z    FATAL   Fatal error run error: image scan error: scan error: unable to initialize a scan service: unable to initialize an image scan service: unable to find the specified image "ghcr.io/org/repo:2025.12" in ["docker" "containerd" "podman" "remote"]: 4 errors occurred:
    * docker error: unable to inspect the image (ghcr.io/org/repo:2025.12): Error response from daemon: No such image: ghcr.io/org/repo:2025.12
    * containerd error: failed to list images from containerd client: connection error: desc = "transport: Error while dialing: dial unix /run/containerd/containerd.sock: connect: permission denied"
    * podman error: unable to initialize Podman client: no podman socket found: stat /run/user/1001/podman/podman.sock: no such file or directory
    * remote error: GET https://ghcr.io/token?scope=repository%3Aorg%2Frepo%3Apull&service=ghcr.io: UNAUTHORIZED: authentication required
Error: Process completed with exit code 1.

Based on the README, I also tried

    steps:          
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@0.32.0
        with:
          image-ref: ghcr.io/${{ github.repository }}:${{ github.ref_name }}
          format: github
          ignore-unfixed: false 
        env:
          TRIVY_USERNAME: ${{ github.repository_owner }}
          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}

But I get the same outcome.

How can I scan my image?


Solution

  • You need to log in to `ghcr.io` before running Trivy and also pull the image manually. Here's the working solution:

    jobs:
      security-scan:
        runs-on: ubuntu-latest
    
        permissions:
          contents: read
          packages: read
          security-events: write
    
        steps:
          - name: Checkout repository
            uses: actions/checkout@v4
    
          - name: Log in to GitHub Container Registry
            uses: docker/login-action@v3
            with:
              registry: ghcr.io
              username: ${{ github.repository_owner }}
              password: ${{ secrets.GITHUB_TOKEN }}
    
          - name: Pull Docker image
            run: docker pull ghcr.io/${{ github.repository }}:${{ github.ref_name }}
    
          - name: Run Trivy vulnerability scanner
            uses: aquasecurity/trivy-action@0.32.0
            with:
              image-ref: ghcr.io/${{ github.repository }}:${{ github.ref_name }}
              format: github
              ignore-unfixed: false
              github-pat: ${{ secrets.GITHUB_TOKEN }}
    

    The key is: without docker login and docker pull, Trivy can't access private images in GitHub Packages.