Investigate Container Scanning support for multi-stage builds

Summary

Container Scanning only reports vulnerabilities for the image in the last FROM directive for multistage docker builds.

Steps to reproduce

If two or more docker images are combined in one Dockerfile:

FROM golang:1.3

FROM node:12

COPY . .

Container scanning will only report vulnerabilities for the last FROM directive, in the above example, this means only the node:12 image will be scanned.

Example Project

Fork of ruby-bundler project. (Changed Dockerfile)

https://gitlab.com/caneldem/multistage

https://gitlab.com/caneldem/multistage-go ==> this one just has go image

Proposal

Please investigate further on this issue and layout a possible fix.

is this expected behavior of the tool we are using?
update our documentation to be very specific about what occurs in this scenario.

After the research, if we feel there are changes needed we can make a backlog issue for it.

Edited Jan 13, 2020 by Adam Cohen