RE: Layer Scanning is not working with images which is pushed with --compression-format zstd:chunked

Update:

And we found some images like busybox:1.37 which is directly pulled from upstream dockerhub. This is the same case. The ProGet-Layer-Scanner is not able to find any packages in there.

Hi,

thanks for quick response.

Yes, we do see that logs. And we are not using gzip as compression-format. So this is a naturely the effect, when we are using zstd. right?

For the moment is the solution, to avoid using other compression-format, because ProGet Layer-Scanner is not supporting zstd???

Hello,

We always use podman push with --compression-format=zstd:chunked in our CI/CD.

But when it comes to layer scanning on ProGet, neither the packages nor the vulnerabilities are suddenly listed for the pushed images.

Otherwise, images pushed with the default settings of podman push are scanned correctly.

Thank you very much and best regards

Hello,

Note on the instructions for downloading packages from Debian Feed. The syntax of the command is incorrect there. You can find
For example: sudo apt install “binutils:2.44-3”

Instead of a colon, the command should look like this: sudo apt install “binutils=2.44-3” or, with a colon, sudo apt install “binutils:amd64=2.44-3”

Thank you very much for considering my request. I truly appreciate the time and attention you’ve given to review it. Your willingness to listen to user feedback means a lot, and I’m grateful that this suggestion has been taken into account.

Yes. These headers are set at the beginning of the Release files before they are signed.
For example:

Origin: Debian Backports
Label: Debian Backports
Suite: oldstable-backports
Codename: bookworm-backports
Changelogs: https://metadata.ftp-master.debian.org/changelogs/@CHANGEPATH@_changelog
Date: Thu, 08 Jan 2026 20:25:04 UTC
Valid-Until: Thu, 15 Jan 2026 20:25:04 UTC
NotAutomatic: yes
ButAutomaticUpgrades: yes
Acquire-By-Hash: yes
No-Support-for-Architecture-all: Packages
Architectures: all amd64 arm64 armel armhf i386 mips64el mipsel ppc64el s390x
Components: main contrib non-free-firmware non-free
Description: Debian bookworm - Backports
SHA256:
 74f76b59db4f4eff71484ba88d926cbfe9fb98e10f20688ed897e6402e68830a   392369 contrib/Contents-all

I would recommend providing this capability when creating a Debian connector.
Ultimately, it only affects the Release files. The feeds and the connectors themselves are not affected by it and it has no impact in their functionality. For example, the Components header is already provided there as well.

The only impact is on the clients via APT. With these metadata, APT would be configured regarding how it should install or upgrade packages.

The possible headers / metadata fields can be found here:
https://manpages.debian.org/unstable/apt-utils/apt-ftparchive.1.en.html (in release section)

The attached image shows what such a capability could look like:

Hello Inedo Support/Product Team,

I would like to request an enhancement for ProGet’s Debian feeds: the ability to configure and emit the standard APT “suite behavior” headers in the generated Release/InRelease files, specifically:

NotAutomatic
ButAutomaticUpgrades

Use case
We operate Debian feeds in ProGet and would like to offer a “backports” for distribution. we are using these headers to prevent unintended mass upgrades from that suite, while still allowing automatic upgrades for packages that were explicitly installed from it. This is important to safely expose newer versions without clients accidentally upgrading large parts of their systems.

If this option already exists to set these headers, how can I implement it?

Best regards