When a Dockerfile references an image hosted on Quay.io in the FROM statement and the image is private, Quay allows the user to define a robot account which will be used to pull the source image. This does not work correctly if a multistage build is needed. For example:

FROM quay.io/org/repo_a as build
RUN echo "first stage"
FROM quay.io/org/repo_b as release
RUN echo "second stage"

Quay will allow the user to define pull credentials for the first FROM statement but will return an unauthorized for the 2nd image since that image is also private, but credentials are nowhere defined (it could be that another robot is required to pull that image). When checking the Dockerfile, we should check all FROM statements and allow defining of pull credentials for all images hosted on Quay.