Trivy "FATAL unable to find the specified image" in CI
Trivy tried every source it knows (the Docker daemon, containerd, a remote registry) and none had an image matching the tag you passed. The image was not built in this job, was built with a different tag, or was never loaded into the daemon Trivy can see.
What this error means
The scan aborts immediately with "FATAL image scan error ... unable to find the specified image" before any vulnerability table appears.
2026-06-30T10:12:04.512Z FATAL image scan error: scan error: unable to initialize a scanner:
unable to initialize an image scanner: unable to find the specified image "myimage:latest"
in ["docker" "containerd" "podman" "remote"]Common causes
The image was never built or loaded in this job
A build that ran with --push sent the image to a registry without leaving it in the local daemon, so a later trivy image step finds nothing locally.
The tag passed to Trivy does not match the built tag
The build tagged myimage:${{ github.sha }} but the scan step references myimage:latest, so the reference resolves to nothing.
How to fix it
Load the image into the daemon before scanning
- If buildx pushed to a registry, also
--loadit (or scan the registry reference directly). - Pass Trivy the exact tag the build produced.
- Re-run so the reference resolves to a real image.
- name: Build
run: docker build -t myimage:${{ github.sha }} .
- name: Scan
run: trivy image --exit-code 1 --severity HIGH,CRITICAL myimage:${{ github.sha }}Scan the registry reference instead of a local tag
If the image only lives in a registry, give Trivy the full pushed reference so it pulls it directly.
trivy image ghcr.io/org/myimage:${{ github.sha }}How to prevent it
- Use one image reference variable across build and scan steps.
- When buildx pushes, add
--loadif a later step scans locally. - Order the scan after the build in the same job or pass the tag between jobs.