bug: docker history analyzer exports instructions with build arguments without processing

[nikpivkin]

Description

If the instruction uses build arguments, the analyzer does not cut the |1 NAME= /bin/sh -c prefix, and the value passed to Rego has the following form: |1 NAME= /bin/sh -c echo $NAME.

Example for the RUN instruction:

TRACE | | | Unify {"Cmd": "run", "EndLine": 2, "Flags": [], "JSON": false, "Original": "RUN |1 NAME= /bin/sh -c echo $NAME", "Path": "Dockerfile", "Stage": 0, "StartLine": 2, "SubCmd": "", "Value": ["|1 NAME= /bin/sh -c echo $NAME"]} = instruction

Desired Behavior

Instructions must be exported without the prefix |1 NAME= /bin/sh -c.

Actual Behavior

Instructions are exported in full

Reproduction Steps

1.Build image from Dockerfile:

FROM alpine
ARG NAME
RUN echo $NAME

2. Run trivy with `--trace` flag:
```bash
❯ trivy image --image-config-scanners misconfig test-img --trace
3.
...

Target

None

Scanner

None

Output Format

None

Mode

None

Debug Output

2025-01-22T17:37:30+06:00       INFO    [image] Container image config scanners scanners=[misconfig]
...
ID: DS026
File: test-img
Namespace: builtin.dockerfile.DS026
Query: data.builtin.dockerfile.DS026.deny
Message: Add HEALTHCHECK instruction in your Dockerfile
TRACE Enter data.builtin.dockerfile.DS026.deny = _
TRACE | Eval data.builtin.dockerfile.DS026.deny = _
TRACE | Unify data.builtin.dockerfile.DS026.deny = _
TRACE | Index data.builtin.dockerfile.DS026.deny (matched 1 rule)
TRACE | Enter data.builtin.dockerfile.DS026.deny
TRACE | | Eval __local5872__ = data.lib.docker.healthcheck
TRACE | | Unify __local5872__ = data.lib.docker.healthcheck
TRACE | | Index data.lib.docker.healthcheck (matched 1 rule)
TRACE | | Enter data.lib.docker.healthcheck
TRACE | | | Eval instruction = input.Stages[_].Commands[_]
TRACE | | | Unify instruction = input.Stages[_].Commands[_]
TRACE | | | Unify 0 = _
TRACE | | | Unify 0 = _
TRACE | | | Unify {"Cmd": "run", "EndLine": 2, "Flags": [], "JSON": false, "Original": "RUN |1 NAME= /bin/sh -c echo $NAME", "Path": "Dockerfile", "Stage": 0, "StartLine": 2, "SubCmd": "", "Value": ["|1 NAME= /bin/sh -c echo $NAME"]} = instruction
TRACE | | | Eval instruction.Cmd = "healthcheck"
TRACE | | | Unify instruction.Cmd = "healthcheck"
TRACE | | | Unify "run" = "healthcheck"
TRACE | | | Fail instruction.Cmd = "healthcheck"
TRACE | | | Redo instruction = input.Stages[_].Commands[_]
TRACE | | Unify set() = __local5872__
TRACE | | Eval count(__local5872__, __local4672__)
TRACE | | Unify __local4672__ = 0
TRACE | | Eval __local4672__ = 0
TRACE | | Unify 0 = 0
TRACE | | Eval msg = "Add HEALTHCHECK instruction in your Dockerfile"
TRACE | | Unify msg = "Add HEALTHCHECK instruction in your Dockerfile"
TRACE | | Eval result.new(msg, {}, __local4673__)
TRACE | | Unify __local4673__ = {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": true, "msg": "Add HEALTHCHECK instruction in your Dockerfile", "parent": null, "resource": "", "sourceprefix": "", "startline": 0}
TRACE | | Eval res = __local4673__
TRACE | | Unify res = {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": true, "msg": "Add HEALTHCHECK instruction in your Dockerfile", "parent": null, "resource": "", "sourceprefix": "", "startline": 0}
TRACE | | Exit data.builtin.dockerfile.DS026.deny
TRACE | Redo data.builtin.dockerfile.DS026.deny
TRACE | | Redo res = __local4673__
TRACE | | Redo result.new(msg, {}, __local4673__)
TRACE | | Redo msg = "Add HEALTHCHECK instruction in your Dockerfile"
TRACE | | Redo __local4672__ = 0
TRACE | | Redo count(__local5872__, __local4672__)
TRACE | | Redo __local5872__ = data.lib.docker.healthcheck
TRACE | Unify {{"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": true, "msg": "Add HEALTHCHECK instruction in your Dockerfile", "parent": null, "resource": "", "sourceprefix": "", "startline": 0}} = _
TRACE | Exit data.builtin.dockerfile.DS026.deny = _
TRACE Redo data.builtin.dockerfile.DS026.deny = _
TRACE | Redo data.builtin.dockerfile.DS026.deny = _
TRACE

Operating System

m1

Version

Version: 0.58.0

Checklist

• Run trivy clean --all
• Read the troubleshooting

[nikpivkin]

Track: #8277