I am getting below error when I ran docker buildx bake scan

Question

tls: failed to verify certificate: x509: certificate signed by unknown authority

Is it a good practice to add --insecure flag?

ARG IMAGE_TAG=node:22-bookworm-slim

FROM ${IMAGE_TAG} AS builder
WORKDIR /app
RUN --mount=type=cache,target=/var/cache/apt \
    apt-get update && \
    apt-get --no-install-recommends install -y openssl && \
    rm -rf /var/lib/apt/lists/*
COPY package.json package-lock.json tsconfig.json ./
COPY prisma/schema.prisma ./
RUN --mount=type=cache,target=/app/.npm \
    npm set cache /app/.npm && \
    npm ci
COPY . .
RUN npx prisma generate && npm run build

FROM builder AS scan
COPY --from=aquasec/trivy /usr/local/bin/trivy /usr/local/bin/trivy
RUN trivy fs /app --severity=HIGH,CRITICAL --ignore-unfixed --exit-code=1

Sarthak Varshney · Answer

To resolve the TLS certificate error when accessing mirror.gcr.io , follow these steps: 1. Update CA Certificates in the Image The error occurs because the container lacks the necessary trusted CA certificates. Update them by installing the ca-certificates package: RUN --mount=type=cache,target=/var/cache/apt \ apt-get update && \ apt-get --no-install-recommends install -y openssl ca-certificates && \ rm -rf /var/lib/apt/lists/* 2. Avoid Using --insecure The --insecure flag disables TLS verification, exposing your build process to MITM attacks. Do not use it unless strictly necessary (e.g., in isolated environments with self-signed certs). 3. If Internal/Corporate CA Issues If the issue stems from an internal CA (e.g., corporate proxy), add the CA certificate explicitly: COPY your-ca-cert.crt /usr/local/share/ca-certificates/ RUN update-ca-certificates 4. Verify Docker Daemon Configuration Ensure your Docker host trusts the CA. For Docker, configure /etc/docker/daemon.json with: { "insecure-registries": [], "registry-mirrors": ["https://mirror.gcr.io"] } Fixed Dockerfile Section : FROM ${IMAGE_TAG} AS builder WORKDIR /app RUN --mount=type=cache,target=/var/cache/apt \ apt-get update && \ apt-get --no-install-recommends install -y openssl ca-certificates && \ rm -rf /var/lib/apt/lists/* # ... rest of your Dockerfile This ensures the container has updated CA certificates, resolving the TLS trust issue securely.

I am getting below error when I ran docker buildx bake scan

Answers (1)