From 309108559f4002b92e5336d5f52e85869012a035 Mon Sep 17 00:00:00 2001
From: Kentaro Hayashi <hayashi@clear-code.com>
Date: Thu, 8 Jan 2026 16:24:07 +0900
Subject: [PATCH 1/2] github actions: use descendant order

It is useful to check the result of fluentd first.

Before:

debian -> ruby -> fluentd

After:

fluentd -> ruby -> debian

Signed-off-by: Kentaro Hayashi <hayashi@clear-code.com>
---
 .github/workflows/scan-images.yml | 36 +++++++++++++++----------------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/scan-images.yml b/.github/workflows/scan-images.yml
index 84abf13..b3c72c6 100644
--- a/.github/workflows/scan-images.yml
+++ b/.github/workflows/scan-images.yml
@@ -11,21 +11,23 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  debian:
-    name: Scan debian image with grype
+  fluentd:
+    name: Scan Fluentd image with grype
     strategy:
       fail-fast: false
     runs-on: ubuntu-latest
     steps:
-      - name: Pull and scan upstream trixie image
+      - uses: actions/checkout@v6
+      - name: Pull and scan Fluentd image
         run: |
-          docker pull debian:trixie
-          echo "# Scan debian image with grype (filter)" >> $GITHUB_STEP_SUMMARY
-          docker run --rm anchore/grype:latest debian:trixie --ignore-states wont-fix | grep -v Negligible >> $GITHUB_STEP_SUMMARY
-          echo "# Scan debian image with grype (details)" >> $GITHUB_STEP_SUMMARY
+          # v1.19.1-debian-amd64
+          IMAGE=$(make echo-all-images | cut -d' ' -f1|cut -d',' -f3)
+          echo "# Scan Fluentd image with grype (filter)" >> $GITHUB_STEP_SUMMARY
+          docker run --rm anchore/grype:latest fluent/fluentd:$IMAGE --ignore-states wont-fix | grep -v Negligible >> $GITHUB_STEP_SUMMARY
+          echo "# Scan Fluentd image with grype (details)" >> $GITHUB_STEP_SUMMARY
           echo "|NAME | INSTALLED | FIXED | IN | TYPE | VULNERABILITY | SEVERITY | EPSS | RISK | |" >> $GITHUB_STEP_SUMMARY
           echo "|---| ---|---|---|----|---|---|---|---|---|" >> $GITHUB_STEP_SUMMARY
-          docker run --rm anchore/grype:latest debian:trixie | sed -e "s/won't fix/won'tfix/g" | grep -v "^NAME" | sed 's/^/|/; s/  */ | /g; s/$/ |/' >> $GITHUB_STEP_SUMMARY
+          docker run --rm anchore/grype:latest fluent/fluentd:$IMAGE | sed -e "s/won't fix/won'tfix/g" | grep -v "^NAME" | sed 's/^/|/; s/  */ | /g; s/$/ |/' >> $GITHUB_STEP_SUMMARY
   ruby:
     name: Scan Ruby image with grype
     strategy:
@@ -41,20 +43,18 @@ jobs:
           echo "|NAME | INSTALLED | FIXED | IN | TYPE | VULNERABILITY | SEVERITY | EPSS | RISK | |" >> $GITHUB_STEP_SUMMARY
           echo "|---| ---|---|---|----|---|---|---|---|---|" >> $GITHUB_STEP_SUMMARY
           docker run --rm anchore/grype:latest ruby:3.4-slim | sed -e "s/won't fix/won'tfix/g" | grep -v "^NAME" | sed 's/^/|/; s/  */ | /g; s/$/ |/' >> $GITHUB_STEP_SUMMARY
-  fluentd:
-    name: Scan Fluentd image with grype
+  debian:
+    name: Scan debian image with grype
     strategy:
       fail-fast: false
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - name: Pull and scan Fluentd image
+      - name: Pull and scan upstream trixie image
         run: |
-          # v1.19.1-debian-amd64
-          IMAGE=$(make echo-all-images | cut -d' ' -f1|cut -d',' -f3)
-          echo "# Scan Fluentd image with grype (filter)" >> $GITHUB_STEP_SUMMARY
-          docker run --rm anchore/grype:latest fluent/fluentd:$IMAGE --ignore-states wont-fix | grep -v Negligible >> $GITHUB_STEP_SUMMARY
-          echo "# Scan Fluentd image with grype (details)" >> $GITHUB_STEP_SUMMARY
+          docker pull debian:trixie
+          echo "# Scan debian image with grype (filter)" >> $GITHUB_STEP_SUMMARY
+          docker run --rm anchore/grype:latest debian:trixie --ignore-states wont-fix | grep -v Negligible >> $GITHUB_STEP_SUMMARY
+          echo "# Scan debian image with grype (details)" >> $GITHUB_STEP_SUMMARY
           echo "|NAME | INSTALLED | FIXED | IN | TYPE | VULNERABILITY | SEVERITY | EPSS | RISK | |" >> $GITHUB_STEP_SUMMARY
           echo "|---| ---|---|---|----|---|---|---|---|---|" >> $GITHUB_STEP_SUMMARY
-          docker run --rm anchore/grype:latest fluent/fluentd:$IMAGE | sed -e "s/won't fix/won'tfix/g" | grep -v "^NAME" | sed 's/^/|/; s/  */ | /g; s/$/ |/' >> $GITHUB_STEP_SUMMARY
+          docker run --rm anchore/grype:latest debian:trixie | sed -e "s/won't fix/won'tfix/g" | grep -v "^NAME" | sed 's/^/|/; s/  */ | /g; s/$/ |/' >> $GITHUB_STEP_SUMMARY

From 143d2b99191366cfb29518bb970f5f30376fe570 Mon Sep 17 00:00:00 2001
From: Kentaro Hayashi <hayashi@clear-code.com>
Date: Thu, 8 Jan 2026 16:35:11 +0900
Subject: [PATCH 2/2] github actions: show bundled gems

Show multi-versioned gems in (filter) and full
list in (details) section.

e.g.

  docker run --rm fluent/fluentd:v1.19.1-debian-amd64 gem list | grep ","
  json (2.13.2, default: 2.9.1)
  rexml (3.4.4, 3.4.0)

Signed-off-by: Kentaro Hayashi <hayashi@clear-code.com>
---
 .github/workflows/scan-images.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/.github/workflows/scan-images.yml b/.github/workflows/scan-images.yml
index b3c72c6..3317aac 100644
--- a/.github/workflows/scan-images.yml
+++ b/.github/workflows/scan-images.yml
@@ -11,6 +11,21 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
+  gem:
+    name: Show bundled gems
+    strategy:
+      fail-fast: false
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Show bundled gems in Fluentd image
+        run: |
+          # v1.19.1-debian-amd64
+          IMAGE=$(make echo-all-images | cut -d' ' -f1|cut -d',' -f3)
+          echo "# Show bundled gems in Fluentd image (filter)" >> $GITHUB_STEP_SUMMARY
+          docker run --rm fluent/fluentd:$IMAGE gem list | grep "," >> $GITHUB_STEP_SUMMARY
+          echo "# Show all bundled gems in Fluentd image (details)" >> $GITHUB_STEP_SUMMARY
+          docker run --rm fluent/fluentd:$IMAGE gem list >> $GITHUB_STEP_SUMMARY
   fluentd:
     name: Scan Fluentd image with grype
     strategy: