verity-org · omercnet · Apr 28, 2026
diff --git a/integration/singlearch/patch_test.go b/integration/singlearch/patch_test.go
@@ -77,7 +77,7 @@ func TestPatch(t *testing.T) {
 			// for local-only images when the daemon in question is not docker itself.
 			// i.e., don't test local images in buildx or with stock buildkit.
 			if img.LocalName != "" && !strings.HasPrefix(os.Getenv(`COPA_BUILDKIT_ADDR`), "docker://") {
-				t.Skip()
+				t.Skipf("local-only image %q requires docker:// buildkit; current COPA_BUILDKIT_ADDR=%q does not support local images", img.LocalName, os.Getenv("COPA_BUILDKIT_ADDR"))
 			}
 
 			dir := t.TempDir()

diff --git a/test/e2e/frontend/frontend_test.go b/test/e2e/frontend/frontend_test.go
@@ -464,9 +464,8 @@ func runFrontendMultiplatformTest(t *testing.T) {
 		reportsGenerated++
 	}
 
-	// Skip test if no reports were generated (e.g., due to disk space issues)
 	if reportsGenerated == 0 {
-		t.Skip("Skipping multiplatform test: no vulnerability reports could be generated (possible disk space or network issue)")
+		t.Fatal("no vulnerability reports could be generated for any platform; this indicates a real failure in scanner/buildkit/network setup, not a flake — investigate the per-platform t.Logf output above")
 	}
 
 	outputTar := filepath.Join(tempDir, "multiarch-patched.tar")

diff --git a/test/e2e/golang/golang_test.go b/test/e2e/golang/golang_test.go
@@ -169,7 +169,7 @@ func TestGoBinaryPatchingByCategory(t *testing.T) {
 					scanResultsFile := filepath.Join(dir, "scan.json")
 					vulnsBefore := scanAndParse(t, ref, scanResultsFile, img.SkipMainModule, img.Image, testCacheDir)
 					if len(vulnsBefore) == 0 {
-						t.Skip("no vulnerabilities found in baseline scan")
+						t.Fatalf("no vulnerabilities found in baseline scan of %s; this baseline image is selected because it has known CVEs — a zero result indicates a scanner regression, stale Trivy DB, or upstream image rebuild", ref)
 					}
 
 					// Patch
@@ -217,7 +217,7 @@ func TestMultiBinaryImages(t *testing.T) {
 			scanResultsFile := filepath.Join(dir, "scan.json")
 			vulnsBefore := scanAndParse(t, ref, scanResultsFile, img.SkipMainModule, img.Image, testCacheDir)
 			if len(vulnsBefore) == 0 {
-				t.Skip("no vulnerabilities found")
+				t.Fatalf("no vulnerabilities found in baseline scan of multi-binary image %s; this baseline is selected because it has known CVEs — a zero result indicates a scanner regression, stale Trivy DB, or upstream image rebuild", ref)
 			}
 
 			t.Logf("Testing multi-binary image with %d expected binaries: %v",
@@ -278,7 +278,7 @@ func TestDistrolessImages(t *testing.T) {
 			scanResultsFile := filepath.Join(dir, "scan.json")
 			vulnsBefore := scanAndParse(t, ref, scanResultsFile, img.SkipMainModule, img.Image, testCacheDir)
 			if len(vulnsBefore) == 0 {
-				t.Skip("no vulnerabilities found")
+				t.Fatalf("no vulnerabilities found in baseline scan of distroless image %s; this baseline is selected because it has known CVEs — a zero result indicates a scanner regression, stale Trivy DB, or upstream image rebuild", ref)
 			}
 
 			t.Logf("Testing distroless/scratch image: %s (category: %s)", ref, img.Category)