After reviewing the changes introduced by commit 8010a5b, the Dockerfile template now includes a check that halts the build if any upgradable PostgreSQL packages are detected. This new logic could be triggering a false positive in Dockle scans, causing all image scans to fail even when there is no real issue with the image itself.

The Dockle scan is configured in the CI workflow to fail on warnings, which may be contributing to the problem if Dockle interprets the new check or its output as a security or best-practice violation workflow reference.

I did not find any existing issues or discussions in the repository about this specific false positive, nor any documentation on known solutions or workarounds for Dockle false positives related to this type of Dockerfile logic.

A common workaround for Dockle false positives is to use the DOCKLE_IGNORES environment variable or the accept-keywords/accept-filenames options in the Dockle configuration to suppress specific checks or warnings. You may want to review the Dockle scan output to identify the exact check or warning being triggered and consider ignoring it if it is not relevant to your security posture Dockle config example.

If you can provide the specific Dockle warning or check that is failing, I can help suggest a more targeted workaround.

To continue talking to Dosu, mention @dosu-bot.

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}