Post TAP upgrade, image-scanner is not entering healthy state and "step-trivy-generate-report" is failing

$ tanzu apps workload get -n NAMESPACE-NAME WORKLOAD-NAME
.
.
.
📦 Supply Chain
   name:   source-scan-to-url

   NAME               READY   HEALTHY   UPDATED   RESOURCE
   source-provider    True    True      10d       gitrepositories.source.toolkit.fluxcd.io/WORKLOAD-NAME
   image-provider     True    True      10m       images.kpack.io/WORKLOAD-NAME
   image-scanner      False   False     10m       imagevulnerabilityscans.app-scanning.apps.tanzu.vmware.com/WORKLOAD-NAME-trivy-scan-abc123
.
.
.
💬 Messages
   Workload [HealthyConditionRule]:   condition status: False, message: "step-trivy-generate-report" exited with code 1: Error ; Error ; Tasks Completed: 2 (Failed: 1, Cancelled 0), Skipped: 1

"read: connection reset by peer" error is observed in the "step-trivy-generate-report" containter log.

$ kubectl logs -n NAMESPACE-NAME WORKLOAD-NAME-trivy-scan-abc123-efg456-scan-task-pod -c step-trivy-generate-report
.
.
.
2026-05-26T06:50:44.574Z        FATAL   image scan error: scan error: scan failed: failed analysis: analyze error: pipeline error: failed to analyze layer (sha256:SOME-SHA): walk error: failed to process the file: failed to analyze file: failed to analyze cnb/lifecycle/launcher: unable to open cnb/lifecycle/launcher: failed to open: unable to read the file: read tcp SOME-IP-1:56496->SOME-IP-2:443: read: connection reset by peer

"SOME-IP-1:56496->SOME-IP-2:443: read: connection reset by peer" error suggests trivy had trouble talking to an external service (possibily the registry where the image is stored) and sometime this is a temporary issue.

Running the following command to delete the problematic ImageVulnerabilityScan and Cartographer create a new one which will trigger the scan again and retry the rest of the chain from there.

$ kubectl delete imagevulnerabilityscans.app-scanning.apps.tanzu.vmware.com/WORKLOAD-NAME-trivy-scan-abc123 -n NAMESPACE-NAME