Part of #11379. Follow-up to #11380 / #11383.

After #11383 merged, the OSV-Scanner workflow's scan-containers matrix still fails on every push to main. Latest run: 25039432437. The build-arg / v2-CLI / SARIF-guard fixes from #11383 work correctly — 3 standalone dockerfiles (socket-relay, linuxkit-nsenter, krunner-extractor) now pass — but 5 fail with:

ERROR: failed to build: failed to solve: failed to compute cache key: failed to calculate checksum of ref ...: "/dist": not found

Why

backend.ai-{client,storage-proxy,webserver,appproxy-coordinator,appproxy-worker}.dockerfile are release-time dockerfiles. Each does:

ARG PKGVER
COPY dist /dist
RUN pip wheel --no-cache-dir backend.ai-{component}==${PKGVER} --find-links=/dist

They consume pre-built backend.ai wheels produced by scripts/build-wheels.sh / pants package and a PKGVER from VERSION (see ci.yml:1075-1092 for how the release pipeline drives this). The OSV-Scanner workflow uses context: docker with neither a wheel-build step nor a PKGVER build-arg, so COPY dist /dist fails.

The repo already has the answer

.github/workflows/sbom.yml:40 excludes these via:

DOCKERFILES=$(find docker -type f -name "*.dockerfile" ! -name "backend.ai-*.dockerfile")

.github/workflows/osv-scanner.yml:51 is the same line without the exclude.

Action

Apply the same exclude — one-line change:

-        DOCKERFILES=$(find docker -type f -name "*.dockerfile")
+        DOCKERFILES=$(find docker -type f -name "*.dockerfile" ! -name "backend.ai-*.dockerfile")

After the change, scan-containers matrix shrinks 8 → 3, all green.

Out of scope

Container vulnerability scanning of the actual backend.ai-* images is a real gap and is tracked separately. Source-level dep bumps to clear remaining scan-scheduled alerts are also tracked separately.

Verification

• workflow_dispatch triggers OSV-Scanner on the fix branch.
• scan-containers runs only 3 matrix entries and all pass.
• SARIF for the 3 standalone images still reaches the Security tab.