stackrox · janisz · Feb 18, 2026 · Apr 14, 2026 · Apr 15, 2026 · Apr 15, 2026
@@ -42,7 +42,7 @@ spec:
     value: |
       [
         { "type": "gomod", "path": "." },
-        { "type": "rpm", "path": "." }
+        { "type": "rpm" }
       ]
   - name: build-source-image
     value: 'true'
@@ -58,6 +58,8 @@ spec:
     value:
     # X.Y in the cpe label must be adjusted for every version stream.
     - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el9"
+  - name: ACTIVATION_KEY
+    value: subscription-manager-activation-key-prod
 
   workspaces:
   - name: git-auth

@@ -38,9 +38,11 @@ spec:
     value: 'true'
   - name: hermetic
     value: "true"
-  # No dependencies are required for scanner-db image.
   - name: prefetch-input
-    value: ''
+    value: |
+      [
+        { "type": "rpm" }
+      ]
   - name: build-source-image
     value: 'true'
   - name: build-target-stage
@@ -55,6 +57,8 @@ spec:
     value:
     # X.Y in the cpe label must be adjusted for every version stream.
     - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el9"
+  - name: ACTIVATION_KEY
+    value: subscription-manager-activation-key-prod
 
   workspaces:
   - name: git-auth

@@ -38,9 +38,11 @@ spec:
     value: 'true'
   - name: hermetic
     value: "true"
-  # No dependencies are required for scanner-db-slim image.
   - name: prefetch-input
-    value: ''
+    value: |
+      [
+        { "type": "rpm" }
+      ]
   - name: build-source-image
     value: 'true'
   - name: build-target-stage
@@ -55,6 +57,8 @@ spec:
     value:
     # X.Y in the cpe label must be adjusted for every version stream.
     - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el9"
+  - name: ACTIVATION_KEY
+    value: subscription-manager-activation-key-prod
 
   workspaces:
   - name: git-auth

@@ -42,7 +42,7 @@ spec:
     value: |
       [
         { "type": "gomod", "path": "." },
-        { "type": "rpm", "path": "." }
+        { "type": "rpm" }
       ]
   - name: build-source-image
     value: 'true'
@@ -58,6 +58,8 @@ spec:
     value:
     # X.Y in the cpe label must be adjusted for every version stream.
     - "cpe=cpe:/a:redhat:advanced_cluster_security:X.Y::el9"
+  - name: ACTIVATION_KEY
+    value: subscription-manager-activation-key-prod
 
   workspaces:
   - name: git-auth

@@ -2,13 +2,34 @@ ARG BASE_REGISTRY=registry.access.redhat.com
 ARG BASE_IMAGE=ubi9-minimal
 ARG BASE_TAG=latest
 
+FROM ${BASE_REGISTRY}/ubi9-micro:${BASE_TAG} AS ubi-micro-base
+
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS extracted_bundle
 
 COPY bundle.tar.gz /
 WORKDIR /bundle
 RUN microdnf install -y tar gzip && tar -zxf /bundle.tar.gz
 
-FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS base
+FROM ${BASE_REGISTRY}/ubi9:${BASE_TAG} AS package_installer
+
+COPY --from=ubi-micro-base / /out/
+
+RUN dnf install -y \
+    --installroot=/out/ \
+    --releasever=9 \
+    --setopt=install_weak_deps=0 \
+    --nodocs \
+    findutils \
+    ca-certificates \
+    rpm \
+    xz \
+    gzip \
+    less \
+    tar && \
+    dnf clean all --installroot=/out/ && \
+    rm -rf /out/var/cache/dnf /out/var/cache/yum
+
+FROM ubi-micro-base AS base
 
 ARG LABEL_VERSION
 ARG LABEL_RELEASE
@@ -25,20 +46,15 @@ LABEL name="scanner" \
 
 SHELL ["/bin/sh", "-o", "pipefail", "-c"]
 
+COPY --from=package_installer /out/ /
+
 COPY scripts /
 
 COPY --from=extracted_bundle /bundle/scanner ./
 
 COPY --from=extracted_bundle /bundle/THIRD_PARTY_NOTICES/ /THIRD_PARTY_NOTICES/
 
-RUN microdnf upgrade -y --nobest && \
-    microdnf install -y xz && \
-    microdnf clean -y all && \
-    # (Optional) Remove line below to keep package management utilities
-    # We don't uninstall rpm because scanner uses it to get packages installed in scanned images.
-    rpm -e --nodeps $(rpm -qa curl '*dnf*' '*libsolv*' '*hawkey*' 'yum*') && \
-    rm -rf /var/cache/dnf /var/cache/yum && \
-    chown -R 65534:65534 /tmp && \
+RUN chown -R 65534:65534 /tmp && \
     # The contents of paths mounted as emptyDir volumes in Kubernetes are saved
     # by the script `save-dir-contents` during the image build. The directory
     # contents are then restored by the script `restore-all-dir-contents`

@@ -2,13 +2,34 @@ ARG BASE_REGISTRY=registry.access.redhat.com
 ARG BASE_IMAGE=ubi9-minimal
 ARG BASE_TAG=latest
 
+FROM ${BASE_REGISTRY}/ubi9-micro:${BASE_TAG} AS ubi-micro-base
+
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS extracted_bundle
 
 COPY bundle.tar.gz /
 WORKDIR /bundle
 RUN microdnf install -y tar gzip && tar -zxf /bundle.tar.gz
 
-FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS base
+FROM ${BASE_REGISTRY}/ubi9:${BASE_TAG} AS package_installer
+
+COPY --from=ubi-micro-base / /out/
+
+RUN dnf install -y \
+    --installroot=/out/ \
+    --releasever=9 \
+    --setopt=install_weak_deps=0 \
+    --nodocs \
+    findutils \
+    ca-certificates \
+    rpm \
+    xz \
+    gzip \
+    less \
+    tar && \
+    dnf clean all --installroot=/out/ && \
+    rm -rf /out/var/cache/dnf /out/var/cache/yum
+
+FROM ubi-micro-base AS base
 
 ARG LABEL_VERSION
 ARG LABEL_RELEASE
@@ -25,20 +46,15 @@ LABEL name="scanner-slim" \
 
 SHELL ["/bin/sh", "-o", "pipefail", "-c"]
 
+COPY --from=package_installer /out/ /
+
 COPY scripts /
 
 COPY --from=extracted_bundle /bundle/scanner ./
 
 COPY --from=extracted_bundle /bundle/THIRD_PARTY_NOTICES/ /THIRD_PARTY_NOTICES/
 
-RUN microdnf upgrade -y --nobest && \
-    microdnf install -y xz && \
-    microdnf clean -y all && \
-    # (Optional) Remove line below to keep package management utilities
-    # We don't uninstall rpm because scanner uses it to get packages installed in scanned images.
-    rpm -e --nodeps $(rpm -qa curl '*dnf*' '*libsolv*' '*hawkey*' 'yum*') && \
-    rm -rf /var/cache/dnf /var/cache/yum && \
-    chown -R 65534:65534 /tmp && \
+RUN chown -R 65534:65534 /tmp && \
     # The contents of paths mounted as emptyDir volumes in Kubernetes are saved
     # by the script `save-dir-contents` during the image build. The directory
     # contents are then restored by the script `restore-all-dir-contents`

@@ -27,8 +27,30 @@ RUN echo -n "version: " && make --quiet --no-print-directory tag && \
 COPY .konflux/scanner-data/blob-genesis_manifests.json image/scanner/dump/genesis_manifests.json
 
 
+FROM registry.access.redhat.com/ubi9/ubi-micro:latest@sha256:093a704be0eaef9bb52d9bc0219c67ee9db13c2e797da400ddb5d5ae6849fa10 AS ubi-micro-base
+
+FROM registry.access.redhat.com/ubi9/ubi:latest@sha256:6ed9f6f637fe731d93ec60c065dbced79273f1e0b5f512951f2c0b0baedb16ad AS package_installer
+
+COPY --from=ubi-micro-base / /out/
+
+RUN dnf install -y \
+    --installroot=/out/ \
+    --releasever=9 \
+    --setopt=install_weak_deps=0 \
+    --setopt=reposdir=/etc/yum.repos.d \
+    --nodocs \
+    findutils \
+    ca-certificates \
+    rpm \
+    xz \
+    gzip \
+    less \
+    tar && \
+    dnf clean all --installroot=/out/ && \
+    rm -rf /out/var/cache/dnf /out/var/cache/yum
+
 # Common base for scanner slim and full
-FROM registry.access.redhat.com/ubi9-minimal:latest@sha256:c7d44146f826037f6873d99da479299b889473492d3c1ab8af86f08af04ec8a0 AS scanner-common
+FROM ubi-micro-base AS scanner-common
 
 ARG SCANNER_TAG
 
@@ -52,20 +74,16 @@ SHELL ["/bin/sh", "-o", "pipefail", "-c"]
 
 ENV REPO_TO_CPE_DIR="/repo2cpe"
 
+COPY --from=package_installer /out/ /
+
 COPY --from=builder /src/image/scanner/scripts /
 COPY --from=builder /src/image/scanner/bin/scanner ./
 COPY --chown=65534:65534 --from=builder "/src/image/scanner/dump${REPO_TO_CPE_DIR}/" ".${REPO_TO_CPE_DIR}/"
 COPY --chown=65534:65534 --from=builder /src/image/scanner/dump/genesis_manifests.json ./
 
 COPY LICENSE /licenses/LICENSE
 
-RUN microdnf install -y xz && \
-    microdnf clean all && \
-    # (Optional) Remove line below to keep package management utilities
-    # We don't uninstall rpm because scanner uses it to get packages installed in scanned images.
-    rpm -e --nodeps $(rpm -qa curl '*dnf*' '*libsolv*' '*hawkey*' 'yum*') && \
-    rm -rf /var/cache/dnf /var/cache/yum && \
-    chown -R 65534:65534 /tmp && \
+RUN chown -R 65534:65534 /tmp && \
     # The contents of paths mounted as emptyDir volumes in Kubernetes are saved
     # by the script `save-dir-contents` during the image build. The directory
     # contents are then restored by the script `restore-all-dir-contents`

@@ -5,4 +5,4 @@ set -euo pipefail
 /restore-all-dir-contents
 /import-additional-cas
 
-exec /scanner
+exec /scanner "$@"
@@ -26,9 +26,13 @@ copy_existing /etc/pki/injected-ca-trust
 # Only copy ca.pem — the mount also contains server cert and key which
 # should not be added as trusted CA anchors.
 CA_PATH="/run/secrets/stackrox.io/certs/ca.pem"
-echo "Copying StackRox root CA from '${CA_PATH}'"
-# For RHEL
-cp "${CA_PATH}" /etc/pki/ca-trust/source/anchors/root-ca.pem
+if [ -f "$CA_PATH" ]; then
+    echo "Copying StackRox root CA from '${CA_PATH}'"
+    # For RHEL
+    cp "${CA_PATH}" /etc/pki/ca-trust/source/anchors/root-ca.pem
+else
+    echo "No StackRox root CA found at '${CA_PATH}' - skipping"
+fi
 
 echo "Updating CA trust"
 # Though /etc/pki/ca-trust/extracted is the default output, update-ca-trust

@@ -2,7 +2,7 @@ ARG BASE_REGISTRY=registry.access.redhat.com
 ARG BASE_IMAGE=ubi9-minimal
 ARG BASE_TAG=latest
 
-FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
+FROM ${BASE_REGISTRY}/ubi9-micro:${BASE_TAG}
 
 ARG LABEL_VERSION
 ARG LABEL_RELEASE

@@ -2,13 +2,31 @@
 # See our docs here: https://spaces.redhat.com/display/StackRox/How+to+prefetch+RPMs+for+ACS+Konflux+builds
 
 packages:
+# Scanner packages (for konflux.Dockerfile stage: package_installer)
+# These packages are installed on top of ubi9-micro base image
+# Note: coreutils and bash are excluded - ubi9-micro already includes them
+# Note: rpm is required by scanner binary to query packages in scanned images
+- findutils
+- ca-certificates
+- rpm
 - xz
+- gzip
+- less
+- tar
+
+# Note: Scanner-DB images don't need RPM prefetch because:
+# - konflux.Dockerfile uses registry.redhat.io/rhel9/postgresql-15 base (already has everything)
+# - Dockerfile and Dockerfile.slim use ubi9 (full) in dependency_builder stage (can install packages via dnf normally)
+
 contentOrigin:
   repofiles: [ "rpms.rhel.repo" ]
+
 context:
   containerfile:
     file: image/scanner/rhel/konflux.Dockerfile
-    stageName: scanner-common
+    stageName: package_installer
+    imagePattern: registry.access.redhat.com/ubi9/ubi-micro:latest
+
 arches:
 - aarch64
 - ppc64le