diff --git a/dpkg/scanner.go b/dpkg/scanner.go
index ee441329b..584d71f49 100644
--- a/dpkg/scanner.go
+++ b/dpkg/scanner.go
@@ -124,7 +124,8 @@ Find:
 		var db io.Reader
 		var h *tar.Header
 		for h, err = tr.Next(); err == nil; h, err = tr.Next() {
-			if h.Name == fn {
+			// The location from above is cleaned, so make sure to do that.
+			if c := filepath.Clean(h.Name); c == fn {
 				db = tr
 				break
 			}
diff --git a/dpkg/scanner_test.go b/dpkg/scanner_test.go
index 99db83c96..064f0aecd 100644
--- a/dpkg/scanner_test.go
+++ b/dpkg/scanner_test.go
@@ -825,6 +825,39 @@ func TestScanner(t *testing.T) {
 	}
 }
 
+func TestAbsolutePaths(t *testing.T) {
+	ctx := zlog.Test(context.Background(), t)
+	hash, err := claircore.ParseDigest("sha256:3c9020349340788076971d5ea638b71e35233fd8e149e269d8eebfa17960c03f")
+	if err != nil {
+		t.Fatal(err)
+	}
+	l := &claircore.Layer{
+		Hash: hash,
+	}
+
+	tctx, done := context.WithTimeout(ctx, 30*time.Second)
+	defer done()
+	n, err := fetch.Layer(tctx, t, http.DefaultClient, "gcr.io", "vmwarecloudadvocacy/acmeshop-user", hash)
+	if err != nil {
+		t.Error(err)
+	}
+	defer n.Close()
+
+	if err := l.SetLocal(n.Name()); err != nil {
+		t.Error(err)
+	}
+
+	s := &Scanner{}
+	got, err := s.Scan(ctx, l)
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Logf("found %d packages", len(got))
+	if len(got) == 0 {
+		t.Fail()
+	}
+}
+
 func TestExtraMetadata(t *testing.T) {
 	const layerfile = `testdata/extrametadata.layer`
 	l := claircore.Layer{
diff --git a/test/fetch/layer.go b/test/fetch/layer.go
index 97cd8b9b9..d52612e56 100644
--- a/test/fetch/layer.go
+++ b/test/fetch/layer.go
@@ -27,6 +27,7 @@ const (
 var registry = map[string]*client{
 	"docker.io": &client{Root: "https://registry-1.docker.io/"},
 	"quay.io":   &client{Root: "https://quay.io/"},
+	"gcr.io":    &client{Root: "https://gcr.io/"},
 }
 
 func Layer(ctx context.Context, t *testing.T, c *http.Client, from, repo string, blob claircore.Digest) (*os.File, error) {