New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace scratch base image with distroless static #833
Comments
This sounds interesting!
Could you explain why this is? I'm trying to wrap my head around it |
I can only point to some sparse documentation around this: I think the design decision was that they assumed most of the time you want to issue more than one command in a CI step, and it helped them to keep the existing syntax. Also it's quite the norm to have shell in images, regardless I do not agree with such deployments in production. |
This is something that would interest me as well. |
Actually, this is keeping us from integrating syft into our (gitlab) ci pipelines. Go for it! |
I think internally we're leaning towards adding another docker build for the distroless-static debug variant (and leaving the existing image as is, using static). |
I'll get this new distroless image added to the manifest |
add debug distroless image to published release Debian was chosen based on the fact that it is the smallest available distroless image The new tag is `anchore/syft:debug` Closes #833
add debug distroless image to published release Debian was chosen based on the fact that it is the smallest available distroless image The new tag is `anchore/syft:debug` Closes anchore#833
add debug distroless image to published release Debian was chosen based on the fact that it is the smallest available distroless image The new tag is `anchore/syft:debug` Closes anchore#833
What would you like to be added:
I'd like to change the base image to distroless static from scratch. And also publish a debug version.
Why is this needed:
For GitLab CI the presence of shell is needed for Kubernetes based runners. If the project would publish such images, there could be easily a variant for
debug
image, that would contain shell. It is the approach that other project followed that runs on top of shell-less images, e.g. kaniko.Additionally it'd save manually copying CA certificates during image build, as currently present in Dockerfile. The image size difference would be negligible with distroless static base image.
Additional context:
If you agree with the approach, I'm happy to contribute this.
The text was updated successfully, but these errors were encountered: