diff --git a/Makefile b/Makefile
index debaf4de4..cf0032c03 100644
--- a/Makefile
+++ b/Makefile
@@ -123,3 +123,15 @@ clone-samples:
 		tar -xJvf samples/linux/clean/$$file -C samples/linux/clean; \
 	done
 	tar -xJvf samples/macOS/clean/bincapz.xz -C samples/macOS/clean
+
+ARCH ?= $(shell uname -m)
+CRANE_VERSION=v0.20.2
+out/crane-$(ARCH)-$(CRANE_VERSION):
+	mkdir -p out
+	GOBIN=$(CURDIR)/out go install github.com/google/go-containerregistry/cmd/crane@$(CRANE_VERSION)
+	mv out/crane out/crane-$(ARCH)-$(CRANE_VERSION)
+
+export-image: out/crane-$(ARCH)-$(CRANE_VERSION)
+	./out/crane-$(ARCH)-$(CRANE_VERSION) \
+	export \
+	cgr.dev/chainguard/static:latest@sha256:bde549df44d5158013856a778b34d8972cf52bb2038ec886475d857ec7c365ed - | xz > pkg/action/testdata/static.tar.xz
diff --git a/pkg/action/oci_test.go b/pkg/action/oci_test.go
index 08ec2aee9..ebbe9d3d0 100644
--- a/pkg/action/oci_test.go
+++ b/pkg/action/oci_test.go
@@ -38,10 +38,9 @@ func TestOCI(t *testing.T) {
 		IgnoreSelf:  false,
 		MinFileRisk: 0,
 		MinRisk:     0,
-		OCI:         true,
 		Renderer:    simple,
 		Rules:       yrs,
-		ScanPaths:   []string{"cgr.dev/chainguard/static@sha256:791657dd88dea8c1f9d3779815429f9c681a9a2778fc66dac3fbf550e1f1d9c8"},
+		ScanPaths:   []string{"testdata/static.tar.xz"},
 	}
 	res, err := Scan(ctx, bc)
 	if err != nil {
diff --git a/pkg/action/testdata/scan_oci b/pkg/action/testdata/scan_oci
index eb1107aa9..81ec65824 100644
--- a/pkg/action/testdata/scan_oci
+++ b/pkg/action/testdata/scan_oci
@@ -1,17 +1,17 @@
-# cgr.dev/chainguard/static@sha256:791657dd88dea8c1f9d3779815429f9c681a9a2778fc66dac3fbf550e1f1d9c8 ∴ /etc/profile
+# testdata/static.tar.xz ∴ /etc/profile
 fs/file/permission/mask/set
 persist/bash
 persist/shell/init_files
 ref/path/etc
 ref/path/usr
 ref/path/usr/local
-# cgr.dev/chainguard/static@sha256:791657dd88dea8c1f9d3779815429f9c681a9a2778fc66dac3fbf550e1f1d9c8 ∴ /var/lib/db/sbom/ca-certificates-bundle-20240705-r0.spdx.json
+# testdata/static.tar.xz ∴ /var/lib/db/sbom/ca-certificates-bundle-20240705-r0.spdx.json
 net/download
 ref/site/url
-# cgr.dev/chainguard/static@sha256:791657dd88dea8c1f9d3779815429f9c681a9a2778fc66dac3fbf550e1f1d9c8 ∴ /var/lib/db/sbom/tzdata-2024a-r3.spdx.json
+# testdata/static.tar.xz ∴ /var/lib/db/sbom/tzdata-2024b-r0.spdx.json
 net/download
 ref/site/url
 time/tzinfo
-# cgr.dev/chainguard/static@sha256:791657dd88dea8c1f9d3779815429f9c681a9a2778fc66dac3fbf550e1f1d9c8 ∴ /var/lib/db/sbom/wolfi-baselayout-20230201-r15.spdx.json
+# testdata/static.tar.xz ∴ /var/lib/db/sbom/wolfi-baselayout-20230201-r15.spdx.json
 net/download
 ref/site/url
diff --git a/pkg/action/testdata/static.tar.xz b/pkg/action/testdata/static.tar.xz
new file mode 100644
index 000000000..8fd3e48fa
Binary files /dev/null and b/pkg/action/testdata/static.tar.xz differ
diff --git a/test_data/refresh-testdata.sh b/test_data/refresh-testdata.sh
index 760f843e6..21205ef39 100755
--- a/test_data/refresh-testdata.sh
+++ b/test_data/refresh-testdata.sh
@@ -27,9 +27,8 @@ fi
 ${bincapz} --format=simple \
     --min-risk any \
     --min-file-risk any \
-    --oci \
     -o ../pkg/action/testdata/scan_oci \
-    cgr.dev/chainguard/static@sha256:791657dd88dea8c1f9d3779815429f9c681a9a2778fc66dac3fbf550e1f1d9c8 &
+    ../pkg/action/testdata/static.tar.xz; sed -i.bak 's|\.\.\/pkg\/action\/||g' ../pkg/action/testdata/scan_oci && rm ../pkg/action/testdata/scan_oci.bak &
 
 # diffs don't follow an easy rule
 ${bincapz} --format=markdown \