Impossible to scan private image from Github registry

[FloRichardAloeCorp]

Hello, I can't scan a private image that is stored in ghcr.io.

I've verified the credentials.

Here is the pipeline:

name: Deploy to dev env

on:
  push:
    branches: ["dev"]
  pull_request:
    branches: ["dev"]

jobs:
  build-and-push-image:
    runs-on: ubuntu-latest
    permissions:
      packages: write
      contents: read
      security-events: write
      actions: read
    steps:
      - uses: actions/checkout@v4

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - uses: kubescape/github-action@main
        continue-on-error: true
        with:
          image: ghcr.io/beltsecurity/fleet-qc:dev
          format: sarif
          outputFile: results.sarif
          registryUsername: ${{ github.actor }}
          registryPassword: ${{ secrets.GITHUB_TOKEN }}

      - name: Upload Kubescape scan results to Github Code Scanning
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

      - name: Build and push
        uses: docker/build-push-action@v5
        with:
          push: true
          tags: ghcr.io/beltsecurity/fleet-qc:dev

The pipeline step kubescape/github-action@main outputs the following error:

Error: unable to load image: unable to use OciRegistry source: failed to get image descriptor from registry: GET https://auth.docker.io/token?scope=repository%3A%2F%2Fghcr.io%2Fbeltsecurity%2Ffleet-qc%3Apull&service=registry.docker.io: unexpected status code 401 Unauthorized: {"details":"incorrect username or password"}

I think that URL of the targeted registry is wrong.

[matthyx]

@FloRichardAloeCorp can you check which version of the kubescape image is running?
I believe if you use quay.io/kubescape/kubescape-cli:v3.0.15 it should work.
Then I should check if we need to change action.yml...

[bf-thomas]

@matthyx the current main of the action uses 3.0.5

Would be nice if the action version gets updates more frequently.

[matthyx]

@matthyx the current main of the action uses 3.0.5

Would be nice if the action version gets updates more frequently.

do you think we can use dependabot or renovate for that?

[bf-thomas]

yes, pretty sure. Depandabot would create a PR which bumps the baseimage image.
Dependabot for Docker

I'm not sure how aligns with your PR-agent though.

[bf-thomas]

Another update on this. I had the same issue with a private gcp container registry.
I got it solved by updating the kubescape-cli version to 3.0.16 and removing the registry:// here:
https://github.com/kubescape/github-action/blob/main/entrypoint.sh#L149

Otherwise, it seems that kubescape is requesting the image from docker.io what is wrong in this case.

[meysam81]

Any update to this issue?

I am facing issue scanning private GHCR images with the same behavior as others.

The last comment, hinting to remove registry:// and upgrading the base docker image fixed my issue. 🙏

But, it would be nice to officially fix this.