Vulnerability Scan of istio-ingress replicaset with image: auto

[ghost]

Hello there,

I am using trivy-operator to scan images of my workloads on GKE cluster.
I am also using Istio as a service mesh with istio-ingress gateway deployed with auto-injection. This causes istio-ingress Deployment and its ReplicaSet to have image: auto in manifests, and only pods have this replaced with proper image path.
I've noticed this to cause vulnerability scan to fail with error:

FATAL image scan error: scan error: unable to initialize a scanner: unable to initialize a docker scanner: 4 errors occurred:
	* unable to inspect the image (auto): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
	* containerd socket not found: /run/containerd/containerd.sock
	* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
	* GET https://index.docker.io/v2/library/auto/manifests/latest: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:library/auto Type:repository]]

I've also checked scan-vulnerabilityreport pod manifest to confirm it tries to pull auto image instead of istio proxyv2 image:

  containers:
  - args:
	- -c
	- trivy image --slow 'auto' --scanners vuln,secret --image-config-scanners secret   --skip-db-update
	  --cache-dir /tmp/trivy/.cache --quiet --list-all-pkgs --format json > /tmp/scan/result_istio-proxy.json
	  &&  bzip2 -c /tmp/scan/result_istio-proxy.json | base64

Is there any way I can get around this problem?

trivy-operator version: 0.15.1
helm chart version: 0.15.1
GKE version: 1.25.10-gke.2700