Replace scratch base image with distroless static

[szucsitg]

What would you like to be added:
I'd like to change the base image to distroless static from scratch. And also publish a debug version.

Why is this needed:
For GitLab CI the presence of shell is needed for Kubernetes based runners. If the project would publish such images, there could be easily a variant for debug image, that would contain shell. It is the approach that other project followed that runs on top of shell-less images, e.g. kaniko.

Additionally it'd save manually copying CA certificates during image build, as currently present in Dockerfile. The image size difference would be negligible with distroless static base image.

Additional context:
If you agree with the approach, I'm happy to contribute this.

[luhring]

This sounds interesting!

For GitLab CI the presence of shell is needed for Kubernetes based runners.

Could you explain why this is? I'm trying to wrap my head around it

[szucsitg]

I can only point to some sparse documentation around this:
https://docs.gitlab.com/runner/executors/kubernetes.html#container-entrypoint
https://docs.gitlab.com/ee/ci/docker/using_kaniko.html#building-a-docker-image-with-kaniko --> "a shell is required for an image to be used with GitLab CI/CD"

I think the design decision was that they assumed most of the time you want to issue more than one command in a CI step, and it helped them to keep the existing syntax. Also it's quite the norm to have shell in images, regardless I do not agree with such deployments in production.

[npalladium]

This is something that would interest me as well.

[stexandev]

Actually, this is keeping us from integrating syft into our (gitlab) ci pipelines. Go for it!

[wagoodman]

I think internally we're leaning towards adding another docker build for the distroless-static debug variant (and leaving the existing image as is, using static).

[spiffcs]

I'll get this new distroless image added to the manifest