From 07feee8c0f663de0512eac8742cf6e13c5f60f24 Mon Sep 17 00:00:00 2001
From: Robbie Cronin <robert.owen.cronin@gmail.com>
Date: Wed, 29 Oct 2025 02:30:54 +1100
Subject: [PATCH] fix: Trivy fails with "invalid tar header" when scanning
 Copa-patched images (#1359)

Signed-off-by: robert-cronin <robert.owen.cronin@gmail.com>
---
 pkg/patch/build.go | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/pkg/patch/build.go b/pkg/patch/build.go
index 482a7b3d8..e99c39355 100644
--- a/pkg/patch/build.go
+++ b/pkg/patch/build.go
@@ -15,6 +15,10 @@ import (
 	sourcepolicy "github.com/moby/buildkit/sourcepolicy/pb"
 )
 
+const (
+	attrValueTrue = "true"
+)
+
 // BuildConfig holds configuration for building and exporting images.
 type BuildConfig struct {
 	SolveOpt        client.SolveOpt
@@ -45,11 +49,11 @@ func createBuildConfig(
 		"annotation." + copaAnnotationKeyPrefix + ".image.patched": time.Now().UTC().Format(time.RFC3339),
 	}
 	if shouldExportOCI {
-		attrs["oci-mediatypes"] = "true"
+		attrs["oci-mediatypes"] = attrValueTrue
 	}
 
 	if push {
-		attrs["push"] = "true"
+		attrs["push"] = attrValueTrue
 		solveOpt.Exports = []client.ExportEntry{
 			{
 				Type:  client.ExporterImage,
@@ -57,6 +61,11 @@ func createBuildConfig(
 			},
 		}
 	} else {
+		// Use uncompressed layers for local export to ensure diff_id == blob digest
+		// This fixes Trivy scanning issues where compressed layers have mismatched hashes
+		attrs["compression"] = "uncompressed"
+		attrs["force-compression"] = attrValueTrue
+
 		solveOpt.Exports = []client.ExportEntry{
 			{
 				Type:  client.ExporterDocker,