Dockerfile Scanner fails to parse HEALTHCHECK flags properly with Docker CIS

[slhck]

Description

The trivy dockerfile scanner fails to parse valid Docker HEALTHCHECK instructions when performing Docker CIS compliance scans.

Specifically, when a HEALTHCHECK includes the --start-period flag (or other flags like --interval, --timeout), the dockerfile scanner produces an error claiming the flag is unknown, even though the Dockerfile syntax is completely valid.

This error only appears during --compliance docker-cis-1.6.0 scans, not during regular vulnerability scans, indicating that the dockerfile scanner used by compliance checks has a bug in its HEALTHCHECK parser.

Desired Behavior

1. The dockerfile scanner should correctly parse all valid HEALTHCHECK flags (--interval, --timeout, --start-period, --retries)
2. No error messages should be generated for valid Docker syntax
3. Compliance scanning should work without errors on images using standard HEALTHCHECK patterns

Actual Behavior

When scanning an image with Docker CIS compliance that has a HEALTHCHECK with flags like --start-period, trivy produces an error:

2025-11-17T11:25:15+01:00       ERROR   [dockerfile scanner] Failed to parse file       file_path="Dockerfile" err="parse dockerfile instruction: unknown flag: --startPeriod (did you mean start-period?)"

The error is particularly confusing because:

1. The Dockerfile already uses --start-period (with a hyphen), not --startPeriod (camelCase)
2. The error message suggests the correct flag name but still fails to parse it
3. Docker itself has no problem building and running images with this syntax

To reproduce:

1. Create a minimal Dockerfile with a HEALTHCHECK using the --start-period flag:

   FROM alpine:latest
   
   RUN apk add --no-cache curl
   
   HEALTHCHECK --start-period=10s CMD curl -f http://localhost:3000
   
   CMD ["/bin/sh", "-c", "while true; do sleep 30; done"]

   Note: This uses --start-period (with hyphen), which is the correct Docker syntax as documented at https://docs.docker.com/reference/dockerfile/#healthcheck

2. Build the image successfully:

   docker build -t test-healthcheck .

   The build completes without errors, confirming the Dockerfile syntax is valid.

3. Verify the HEALTHCHECK was correctly configured:

   docker inspect test-healthcheck | jq '.[0].Config.Healthcheck'

   Output:

   {
     "StartPeriod": 10000000000,
     "Test": [
       "CMD-SHELL",
       "curl -f http://localhost:3000"
     ]
   }

4. Run trivy with Docker CIS compliance scanning:

   trivy image --compliance docker-cis-1.6.0 test-healthcheck

5. Observe the error in the output:

   2025-11-17T11:25:15+01:00       ERROR   [dockerfile scanner] Failed to parse file       file_path="Dockerfile" err="parse dockerfile instruction: unknown flag: --startPeriod (did you mean start-period?)"
   

   Note the paradox: The error suggests using start-period (which we're already using), but shows it as startPeriod in the error message.

6. Verify that regular vulnerability scanning works fine without errors:

   trivy image --scanners vuln test-healthcheck

   No dockerfile scanner errors appear - this bug only affects compliance scans.

Reproduction Steps

See above (properly formatted!)

Target

Container Image

Scanner

None

Output Format

None

Mode

Standalone

Debug Output

2025-11-17T11:31:36+01:00	DEBUG	No plugins loaded
2025-11-17T11:31:36+01:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-11-17T11:31:36+01:00	DEBUG	Cache dir	dir="/Users/werner/Library/Caches/trivy"
2025-11-17T11:31:36+01:00	DEBUG	Cache dir	dir="/Users/werner/Library/Caches/trivy"
2025-11-17T11:31:36+01:00	DEBUG	Compliance spec loaded from disk bundle	spec="docker-cis-1.6.0"
2025-11-17T11:31:36+01:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-11-17T11:31:36+01:00	DEBUG	Ignore statuses	statuses=[]
2025-11-17T11:31:36+01:00	DEBUG	DB update was skipped because the local DB is the latest
2025-11-17T11:31:36+01:00	DEBUG	DB info	schema=2 updated_at=2025-11-17T06:33:14.128543287Z next_update=2025-11-18T06:33:14.128543037Z downloaded_at=2025-11-17T10:21:54.099159Z
2025-11-17T11:31:36+01:00	INFO	[image] Container image config scanners	scanners=[misconfig secret]
2025-11-17T11:31:36+01:00	INFO	[vuln] Vulnerability scanning is enabled
2025-11-17T11:31:36+01:00	INFO	[misconfig] Misconfiguration scanning is enabled
2025-11-17T11:31:36+01:00	DEBUG	[misconfig] Checks successfully loaded from disk
2025-11-17T11:31:36+01:00	DEBUG	[notification] Running version check
2025-11-17T11:31:36+01:00	DEBUG	[notification] Version check completed	latest_version="0.67.2"
2025-11-17T11:31:36+01:00	DEBUG	[rego] Overriding filesystem for checks
2025-11-17T11:31:36+01:00	DEBUG	[rego] Embedded libraries are loaded	count=17
2025-11-17T11:31:37+01:00	DEBUG	[rego] Embedded checks are loaded	count=519
2025-11-17T11:31:37+01:00	DEBUG	[rego] Checks from disk are loaded	count=536
2025-11-17T11:31:37+01:00	DEBUG	[rego] Overriding filesystem for data
2025-11-17T11:31:37+01:00	DEBUG	Initializing scan cache...	type="fs"
2025-11-17T11:31:37+01:00	DEBUG	Created process-specific temp directory	path="/var/folders/3h/9h8lqbnx0p372m8qh7fpd1dh0000gn/T/trivy-10580"
2025-11-17T11:31:37+01:00	DEBUG	[image] Image found	image="trivy-bug-repro" source="docker"
2025-11-17T11:31:37+01:00	DEBUG	[image] Detected image ID	image_id="sha256:3f5e24f6082e20c474e44a88f100bb422135329df8f583708d7290be275bfd63"
2025-11-17T11:31:37+01:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:0e64f2360a448b389c83fcbc3705e1364ccf43f004bb55233c689e7ce59a1ae9 sha256:f95518cd684e86f2ab48f8b5040f5f2278e706d68387a126ff599b62ef11cfaa]
2025-11-17T11:31:37+01:00	DEBUG	[image] Detected base layers	diff_ids=[sha256:0e64f2360a448b389c83fcbc3705e1364ccf43f004bb55233c689e7ce59a1ae9]
2025-11-17T11:31:37+01:00	DEBUG	[image] Missing image ID in cache	image_id="sha256:3f5e24f6082e20c474e44a88f100bb422135329df8f583708d7290be275bfd63"
2025-11-17T11:31:37+01:00	DEBUG	[secret] Using streaming scanner	file_path="config.json"
2025-11-17T11:31:37+01:00	DEBUG	[secret] scanStream called	file_path="config.json" buffer_size=65536 overlap_size=4096
2025-11-17T11:31:37+01:00	DEBUG	[secret] scanChunk called	file_path="config.json" content_len=1539 num_rules=87
2025-11-17T11:31:37+01:00	DEBUG	[secret] scanChunk called	file_path="config.json" content_len=1539 num_rules=87
2025-11-17T11:31:37+01:00	DEBUG	No secrets found in container image config
2025-11-17T11:31:37+01:00	DEBUG	[misconfig] Scanning files for misconfigurations...	scanner="Dockerfile"
2025-11-17T11:31:37+01:00	ERROR	[dockerfile scanner] Failed to parse file	file_path="Dockerfile" err="parse dockerfile instruction: unknown flag: --startPeriod (did you mean start-period?)"
2025-11-17T11:31:37+01:00	INFO	Detected OS	family="alpine" version="3.22.2"
2025-11-17T11:31:37+01:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.22" repository="3.22" pkg_num=25
2025-11-17T11:31:37+01:00	INFO	Number of language-specific files	num=0
2025-11-17T11:31:37+01:00	INFO	Detected config files	num=0
2025-11-17T11:31:37+01:00	DEBUG	Found an ignore file	file_path=".trivyignore"
2025-11-17T11:31:37+01:00	DEBUG	[vex] VEX filtering is disabled

Summary Report for compliance: CIS Docker Community Edition Benchmark v1.6.0
┌──────┬──────────┬──────────────────────────────────────────────────────────────┬────────┬────────┐
│  ID  │ Severity │                         Control Name                         │ Status │ Issues │
├──────┼──────────┼──────────────────────────────────────────────────────────────┼────────┼────────┤
│ 4.1  │   HIGH   │ Ensure a user for the container has been created             │  PASS  │   0    │
│ 4.2  │   HIGH   │ Ensure that containers use only trusted base images (Manual) │   -    │   -    │
│ 4.3  │   HIGH   │ Ensure unnecessary packages are not installed in the         │   -    │   -    │
│      │          │ container (Manual)                                           │        │        │
│ 4.4  │ CRITICAL │ Ensure images are scanned and rebuilt to include security    │  PASS  │   0    │
│      │          │ patches                                                      │        │        │
│ 4.5  │   LOW    │ Ensure Content trust for Docker is Enabled (Manual)          │   -    │   -    │
│ 4.6  │   LOW    │ Ensure HEALTHCHECK instructions have been added to the       │  PASS  │   0    │
│      │          │ container image                                              │        │        │
│ 4.7  │   HIGH   │ Ensure update instructions are not used alone in the         │  PASS  │   0    │
│      │          │ Dockerfile                                                   │        │        │
│ 4.8  │   HIGH   │ Ensure setuid and setgid permissions are removed in the      │   -    │   -    │
│      │          │ images (Manual)                                              │        │        │
│ 4.9  │   LOW    │ Ensure COPY is used instead of ADD                           │  PASS  │   0    │
│ 4.10 │ CRITICAL │ Ensure secrets are not stored in Dockerfiles                 │  PASS  │   0    │
│ 4.11 │  MEDIUM  │ Ensure only verified packages are installed (Manual)         │   -    │   -    │
│ 4.12 │  MEDIUM  │ Ensure all signed artifacts are validated (Manual)           │   -    │   -    │
└──────┴──────────┴──────────────────────────────────────────────────────────────┴────────┴────────┘
2025-11-17T11:31:37+01:00	DEBUG	Cleaning up temp directory	path="/var/folders/3h/9h8lqbnx0p372m8qh7fpd1dh0000gn/T/trivy-10580"

Operating System

macOS 15.7.1

Version

0.67.2

Checklist

• Run trivy clean --all
• Read the troubleshooting

[simar7]

I think this might be a bug as I see this line which doesn't line up with the reference

trivy/pkg/fanal/analyzer/imgconf/dockerfile/dockerfile.go

Line 158 in 267a970

startPeriod = fmt.Sprintf("--startPeriod=%s ", health.StartPeriod)

cc @nikpivkin

[nikpivkin]

Track #9836