Scratch not excluded from docker image tag rule

Hi all,

We have had failed sonarscans recently due to this rule:

Our builds suffer a bit from the docker Dive wasted space issue as we use golden base images and then run updates on them (and obviously add anything specific for that build). So we do a multistage build and copy into scratch:

FROM AS golden

RUN bash && rm

FROM scratch
COPY --from=golden / /


ENTRYPOINT ["bash", "/"]

We are using Enterprise Edition

  • Version 10.3 (build 82913)

With this (what should be) a valid simple dockerfile, the rule above fires with:

FROM scratch
Use a specific version tag for the image.

This is from a job in our GitlabCI pipeline using sonarscanner CLI.

Obviously if i do apply a tag on this it fails:

   6 |     RUN bash && rm
   7 |     
   8 | >>> FROM scratch:latest
   9 |     COPY --from=golden / /
  10 |     
ERROR: failed to solve: scratch:latest: not found

Surely scratch should be excluded from this rule (not sure of others)?


Hello @TheNom and welcome to community!

Thanks for raising awareness on this topic.
This is indeed a FP, I have created a jira ticket in order to follow up on this.
I checked the other rules we have regarding Docker, it seems this is the only rule concerned.

Sorry for the inconvenience caused.
Best regards,


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.