Skip to content

👷(docker) add arm64 platform support for image builds #296

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
StephanMeijer wants to merge 1 commit into
base: main
Choose a base branch
from
Open

👷(docker) add arm64 platform support for image builds #296

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions .github/workflows/docker-hub.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,9 @@ jobs:
-
name: Checkout repository
uses: actions/checkout@v4
-
name: Set up QEMU
uses: docker/setup-qemu-action@v3
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
Expand Down Expand Up @@ -52,6 +55,7 @@ jobs:
with:
context: .
target: backend-production
platforms: linux/amd64,linux/arm64
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

arm64 images are never scanned for vulnerabilities

The Trivy scan steps (lines 46–50 and 90–94) pass docker-build-args without a --platform flag, so numerique-gouv/action-trivy-cache only builds and scans the native linux/amd64 image. After this PR, the published multi-arch manifest also includes an linux/arm64 image whose base layers and packages are entirely unscanned — a different binary set that may carry different CVEs.

Options to address:

  1. Add a second scan invocation explicitly targeting linux/arm64 (if the custom action supports --platform linux/arm64 in docker-build-args).
  2. If option 1 is not feasible, document the known gap and open a follow-up issue to track it.

Also applies to: 103-103

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/docker-hub.yml at line 58, The Trivy scan steps use
numerique-gouv/action-trivy-cache with docker-build-args but do not pass a
--platform flag, so only linux/amd64 is scanned while the workflow publishes a
multi-arch manifest (platforms: linux/amd64,linux/arm64); update the Trivy scan
steps (the action usages of numerique-gouv/action-trivy-cache and the
docker-build-args inputs) to add a second scan invocation that passes
"--platform=linux/arm64" (or otherwise include "--platform linux/arm64" in
docker-build-args) so the arm64 image layers are built and scanned, and if that
action does not support platform builds, add a short documented note in the
workflow and open a follow-up issue to track scanning arm64 separately.

build-args: DOCKER_USER=${{ env.DOCKER_USER }}:-1000
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
Expand All @@ -63,6 +67,9 @@ jobs:
-
name: Checkout repository
uses: actions/checkout@v4
-
name: Set up QEMU
uses: docker/setup-qemu-action@v3
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
Expand Down Expand Up @@ -93,6 +100,7 @@ jobs:
context: .
file: ./src/frontend/Dockerfile
target: frontend-production
platforms: linux/amd64,linux/arm64
build-args: |
DOCKER_USER=${{ env.DOCKER_USER }}:-1000
push: ${{ github.event_name != 'pull_request' }}
Expand Down
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ and this project adheres to

### Added

- 👷(docker) add arm64 platform support for image builds
- ✨(waffle) hide the waffle if not fr theme
- ✨(front) allow pasting an attachment from clipboard
- ✨(array) temporarily adjust array
Expand Down
Loading