add distroless debug image to published release

[spiffcs]

Move base image from scratch to distroless as discussed during the community meeting.

Debian was chosen based on the fact that it is the smallest available distroless image.

The new tag is anchore/syft:{{.Tag}}-debug. Let me know if this should be changed or we want a different convention.

Summary of images being built with this new configuration:

anchore/syft                                latest                    fb17e10f01b3    61.8MB
anchore/syft                                v0.51.0                   fb17e10f01b3    61.8MB
anchore/syft                                debug                     4155e8d6d504    65.1MB
anchore/syft                                v0.51.0-debug             4155e8d6d504    65.1MB
anchore/syft                                debug-arm64v8             188b177139f8    63.5MB
anchore/syft                                v0.51.0-arm64v8           30411dd8bec6    60.1MB
anchore/syft                                v0.51.0-debug-arm64v8     188b177139f8    63.5MB


ghcr.io/anchore/syft                       latest                     fb17e10f01b3    61.8MB
ghcr.io/anchore/syft                       v0.51.0                    fb17e10f01b3    61.8MB
ghcr.io/anchore/syft                       debug                      4155e8d6d504    65.1MB
ghcr.io/anchore/syft                       v0.51.0-debug              4155e8d6d504    65.1MB
ghcr.io/anchore/syft                       debug-arm64v8              188b177139f8    63.5MB
ghcr.io/anchore/syft                       v0.51.0-arm64v8            30411dd8bec6    60.1MB
ghcr.io/anchore/syft                       v0.51.0-debug-arm64v8      188b177139f8    63.5MB

Closes #833

Signed-off-by: Christopher Phillips christopher.phillips@anchore.com

[github-actions]

Benchmark Test Results

Benchmark results from the latest changes vs base branch

name                                                       old time/op    new time/op    delta
ImagePackageCatalogers/alpmdb-cataloger-2                    12.0ms ± 3%    11.7ms ± 1%  -2.65%  (p=0.008 n=5+5)
ImagePackageCatalogers/ruby-gemspec-cataloger-2              1.35ms ± 1%    1.33ms ± 0%    ~     (p=0.114 n=4+4)
ImagePackageCatalogers/python-package-cataloger-2            3.44ms ± 2%    3.34ms ± 2%  -2.77%  (p=0.008 n=5+5)
ImagePackageCatalogers/php-composer-installed-cataloger-2    1.11ms ± 2%    1.09ms ± 1%    ~     (p=0.095 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2         780µs ± 2%     761µs ± 1%  -2.35%  (p=0.016 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                     926µs ± 3%     901µs ± 1%  -2.67%  (p=0.008 n=5+5)
ImagePackageCatalogers/rpmdb-cataloger-2                     1.36ms ± 1%    1.34ms ± 2%    ~     (p=0.095 n=5+5)
ImagePackageCatalogers/java-cataloger-2                      15.2ms ± 0%    14.9ms ± 1%  -2.12%  (p=0.008 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                     1.39ms ± 2%    1.36ms ± 2%  -2.05%  (p=0.032 n=5+5)
ImagePackageCatalogers/go-module-binary-cataloger-2          2.25µs ± 2%    2.18µs ± 2%  -2.80%  (p=0.008 n=5+5)
ImagePackageCatalogers/dotnet-deps-cataloger-2               1.44ms ± 2%    1.41ms ± 1%  -2.03%  (p=0.032 n=5+5)
ImagePackageCatalogers/portage-cataloger-2                    735µs ± 2%     720µs ± 1%  -2.08%  (p=0.032 n=5+5)

name                                                       old alloc/op   new alloc/op   delta
ImagePackageCatalogers/alpmdb-cataloger-2                    5.26MB ± 0%    5.26MB ± 0%    ~     (p=0.222 n=5+5)
ImagePackageCatalogers/ruby-gemspec-cataloger-2               202kB ± 0%     202kB ± 0%    ~     (p=0.548 n=5+5)
ImagePackageCatalogers/python-package-cataloger-2             945kB ± 0%     945kB ± 0%    ~     (p=1.000 n=5+5)
ImagePackageCatalogers/php-composer-installed-cataloger-2     214kB ± 0%     214kB ± 0%    ~     (p=0.651 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2         158kB ± 0%     158kB ± 0%    ~     (p=1.000 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                     203kB ± 0%     203kB ± 0%    ~     (p=0.460 n=5+5)
ImagePackageCatalogers/rpmdb-cataloger-2                      301kB ± 0%     301kB ± 0%    ~     (p=0.056 n=5+5)
ImagePackageCatalogers/java-cataloger-2                      3.44MB ± 0%    3.44MB ± 0%    ~     (p=0.421 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                     1.25MB ± 0%    1.25MB ± 0%    ~     (p=0.690 n=5+5)
ImagePackageCatalogers/go-module-binary-cataloger-2            672B ± 0%      672B ± 0%    ~     (all equal)
ImagePackageCatalogers/dotnet-deps-cataloger-2                369kB ± 0%     369kB ± 0%    ~     (p=0.151 n=5+5)
ImagePackageCatalogers/portage-cataloger-2                    136kB ± 0%     136kB ± 0%    ~     (p=0.095 n=5+5)

name                                                       old allocs/op  new allocs/op  delta
ImagePackageCatalogers/alpmdb-cataloger-2                     85.7k ± 0%     85.7k ± 0%    ~     (p=0.333 n=4+5)
ImagePackageCatalogers/ruby-gemspec-cataloger-2               4.25k ± 0%     4.25k ± 0%    ~     (all equal)
ImagePackageCatalogers/python-package-cataloger-2             16.6k ± 0%     16.6k ± 0%    ~     (p=0.952 n=5+5)
ImagePackageCatalogers/php-composer-installed-cataloger-2     5.53k ± 0%     5.53k ± 0%    ~     (p=0.238 n=4+5)
ImagePackageCatalogers/javascript-package-cataloger-2         3.31k ± 0%     3.31k ± 0%    ~     (p=0.333 n=5+4)
ImagePackageCatalogers/dpkgdb-cataloger-2                     4.60k ± 0%     4.60k ± 0%    ~     (all equal)
ImagePackageCatalogers/rpmdb-cataloger-2                      8.10k ± 0%     8.10k ± 0%    ~     (all equal)
ImagePackageCatalogers/java-cataloger-2                       57.5k ± 0%     57.5k ± 0%    ~     (p=0.595 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                      5.43k ± 0%     5.43k ± 0%    ~     (p=0.643 n=5+5)
ImagePackageCatalogers/go-module-binary-cataloger-2            15.0 ± 0%      15.0 ± 0%    ~     (all equal)
ImagePackageCatalogers/dotnet-deps-cataloger-2                7.27k ± 0%     7.27k ± 0%    ~     (all equal)
ImagePackageCatalogers/portage-cataloger-2                    3.59k ± 0%     3.59k ± 0%    ~     (p=0.365 n=5+5)

[spiffcs]

After reading #833 more in-depth it looks like this still does not add a shell which was the requested change. I'll revert this commit and add this via the image_template block with a separate file in .goreleaser.yaml

[06kellyjac]

Only the distroless debug images have a shell. Also for this reason I would strongly request there be a scratch & distroless debug image

https://github.com/GoogleContainerTools/distroless#debug-images

Or provide a simple dockerfile that can copy the binary from syft scratch container into distroless debug or alpine etc

---

Also as a note, distroless static comes with ca-certs, so doesnt need them copied in, so is probably the best option for a static go bin

https://github.com/GoogleContainerTools/distroless/tree/main/base#image-contents

[spiffcs]

Thanks a million @06kellyjac! I'll update the goreleaser config so we have the scratch & distroless debug image.

[wagoodman]

is this -amd64 intentional. It looks to be covered in the manifests section (but we should double check this)

[spiffcs]

^ Manifests pull from the dockers.image_templates section

So if you did a make build on your local and then docker manifest inspect anchore/syft:latest

you would see 2 distributions.

This line also existed on our previous build file in the diff at line 106. I don't think manifests should be able to "cover" anything that is happening in the dockers section of this config.

See: https://goreleaser.com/customization/docker_manifest/#example-config for the example setup for manifests and why we specify amd64 here.

[wagoodman]

That makes sense, thank for info / double checking 👍

[06kellyjac]

I wouldn't personally call linux/arm64 m1 but maybe that's just me 😅