diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 03da7e4dc..de69b0ebe 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -126,6 +126,59 @@ dockers:
       - "--build-arg=VCS_REF={{.FullCommit}}"
       - "--build-arg=VCS_URL={{.GitURL}}"
 
+  # nonroot images...
+  - image_templates:
+      - anchore/syft:{{.Tag}}-nonroot-amd64
+      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-amd64
+    goarch: amd64
+    dockerfile: Dockerfile.nonroot
+    use: buildx
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--build-arg=BUILD_DATE={{.Date}}"
+      - "--build-arg=BUILD_VERSION={{.Version}}"
+      - "--build-arg=VCS_REF={{.FullCommit}}"
+      - "--build-arg=VCS_URL={{.GitURL}}"
+
+  - image_templates:
+      - anchore/syft:{{.Tag}}-nonroot-arm64v8
+      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-arm64v8
+    goarch: arm64
+    dockerfile: Dockerfile.nonroot
+    use: buildx
+    build_flag_templates:
+      - "--platform=linux/arm64/v8"
+      - "--build-arg=BUILD_DATE={{.Date}}"
+      - "--build-arg=BUILD_VERSION={{.Version}}"
+      - "--build-arg=VCS_REF={{.FullCommit}}"
+      - "--build-arg=VCS_URL={{.GitURL}}"
+
+  - image_templates:
+      - anchore/syft:{{.Tag}}-nonroot-ppc64le
+      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-ppc64le
+    goarch: ppc64le
+    dockerfile: Dockerfile.nonroot
+    use: buildx
+    build_flag_templates:
+      - "--platform=linux/ppc64le"
+      - "--build-arg=BUILD_DATE={{.Date}}"
+      - "--build-arg=BUILD_VERSION={{.Version}}"
+      - "--build-arg=VCS_REF={{.FullCommit}}"
+      - "--build-arg=VCS_URL={{.GitURL}}"
+
+  - image_templates:
+      - anchore/syft:{{.Tag}}-nonroot-s390x
+      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-s390x
+    goarch: s390x
+    dockerfile: Dockerfile.nonroot
+    use: buildx
+    build_flag_templates:
+      - "--platform=linux/s390x"
+      - "--build-arg=BUILD_DATE={{.Date}}"
+      - "--build-arg=BUILD_VERSION={{.Version}}"
+      - "--build-arg=VCS_REF={{.FullCommit}}"
+      - "--build-arg=VCS_URL={{.GitURL}}"
+
   # debug images...
   - image_templates:
       - anchore/syft:{{.Tag}}-debug-amd64
@@ -180,7 +233,6 @@ dockers:
       - "--build-arg=VCS_URL={{.GitURL}}"
 
 docker_manifests:
-  # anchore/syft manifests...
   - name_template: anchore/syft:latest
     image_templates:
       - anchore/syft:{{.Tag}}-amd64
@@ -188,6 +240,13 @@ docker_manifests:
       - anchore/syft:{{.Tag}}-ppc64le
       - anchore/syft:{{.Tag}}-s390x
 
+  - name_template: ghcr.io/anchore/syft:latest
+    image_templates:
+      - ghcr.io/anchore/syft:{{.Tag}}-amd64
+      - ghcr.io/anchore/syft:{{.Tag}}-arm64v8
+      - ghcr.io/anchore/syft:{{.Tag}}-ppc64le
+      - ghcr.io/anchore/syft:{{.Tag}}-s390x
+
   - name_template: anchore/syft:{{.Tag}}
     image_templates:
       - anchore/syft:{{.Tag}}-amd64
@@ -195,28 +254,6 @@ docker_manifests:
       - anchore/syft:{{.Tag}}-ppc64le
       - anchore/syft:{{.Tag}}-s390x
 
-  - name_template: anchore/syft:debug
-    image_templates:
-      - anchore/syft:{{.Tag}}-debug-amd64
-      - anchore/syft:{{.Tag}}-debug-arm64v8
-      - anchore/syft:{{.Tag}}-debug-ppc64le
-      - anchore/syft:{{.Tag}}-debug-s390x
-
-  - name_template: anchore/syft:{{.Tag}}-debug
-    image_templates:
-      - anchore/syft:{{.Tag}}-debug-amd64
-      - anchore/syft:{{.Tag}}-debug-arm64v8
-      - anchore/syft:{{.Tag}}-debug-ppc64le
-      - anchore/syft:{{.Tag}}-debug-s390x
-
-  # ghcr.io/anchore/syft manifests...
-  - name_template: ghcr.io/anchore/syft:latest
-    image_templates:
-      - ghcr.io/anchore/syft:{{.Tag}}-amd64
-      - ghcr.io/anchore/syft:{{.Tag}}-arm64v8
-      - ghcr.io/anchore/syft:{{.Tag}}-ppc64le
-      - ghcr.io/anchore/syft:{{.Tag}}-s390x
-
   - name_template: ghcr.io/anchore/syft:{{.Tag}}
     image_templates:
       - ghcr.io/anchore/syft:{{.Tag}}-amd64
@@ -224,6 +261,43 @@ docker_manifests:
       - ghcr.io/anchore/syft:{{.Tag}}-ppc64le
       - ghcr.io/anchore/syft:{{.Tag}}-s390x
 
+  # nonroot images...
+  - name_template: anchore/syft:nonroot
+    image_templates:
+      - anchore/syft:{{.Tag}}-nonroot-amd64
+      - anchore/syft:{{.Tag}}-nonroot-arm64v8
+      - anchore/syft:{{.Tag}}-nonroot-ppc64le
+      - anchore/syft:{{.Tag}}-nonroot-s390x
+
+  - name_template: ghcr.io/anchore/syft:nonroot
+    image_templates:
+      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-amd64
+      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-arm64v8
+      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-ppc64le
+      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-s390x
+
+  - name_template: anchore/syft:{{.Tag}}-nonroot
+    image_templates:
+      - anchore/syft:{{.Tag}}-nonroot-amd64
+      - anchore/syft:{{.Tag}}-nonroot-arm64v8
+      - anchore/syft:{{.Tag}}-nonroot-ppc64le
+      - anchore/syft:{{.Tag}}-nonroot-s390x
+
+  - name_template: ghcr.io/anchore/syft:{{.Tag}}-nonroot
+    image_templates:
+      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-amd64
+      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-arm64v8
+      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-ppc64le
+      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-s390x
+
+  # debug images...
+  - name_template: anchore/syft:debug
+    image_templates:
+      - anchore/syft:{{.Tag}}-debug-amd64
+      - anchore/syft:{{.Tag}}-debug-arm64v8
+      - anchore/syft:{{.Tag}}-debug-ppc64le
+      - anchore/syft:{{.Tag}}-debug-s390x
+
   - name_template: ghcr.io/anchore/syft:debug
     image_templates:
       - ghcr.io/anchore/syft:{{.Tag}}-debug-amd64
@@ -231,6 +305,13 @@ docker_manifests:
       - ghcr.io/anchore/syft:{{.Tag}}-debug-ppc64le
       - ghcr.io/anchore/syft:{{.Tag}}-debug-s390x
 
+  - name_template: anchore/syft:{{.Tag}}-debug
+    image_templates:
+      - anchore/syft:{{.Tag}}-debug-amd64
+      - anchore/syft:{{.Tag}}-debug-arm64v8
+      - anchore/syft:{{.Tag}}-debug-ppc64le
+      - anchore/syft:{{.Tag}}-debug-s390x
+
   - name_template: ghcr.io/anchore/syft:{{.Tag}}-debug
     image_templates:
       - ghcr.io/anchore/syft:{{.Tag}}-debug-amd64
diff --git a/Dockerfile b/Dockerfile
index 86b6b643f..9e682b2d6 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,12 +1,14 @@
-FROM gcr.io/distroless/static-debian12:nonroot
+FROM gcr.io/distroless/static-debian12:latest AS build
+
+FROM scratch
+# needed for version check HTTPS request
+COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 
 # create the /tmp dir, which is needed for image content cache
 WORKDIR /tmp
 
 COPY syft /
 
-USER nonroot
-
 ARG BUILD_DATE
 ARG BUILD_VERSION
 ARG VCS_REF
diff --git a/Dockerfile.nonroot b/Dockerfile.nonroot
new file mode 100644
index 000000000..86b6b643f
--- /dev/null
+++ b/Dockerfile.nonroot
@@ -0,0 +1,27 @@
+FROM gcr.io/distroless/static-debian12:nonroot
+
+# create the /tmp dir, which is needed for image content cache
+WORKDIR /tmp
+
+COPY syft /
+
+USER nonroot
+
+ARG BUILD_DATE
+ARG BUILD_VERSION
+ARG VCS_REF
+ARG VCS_URL
+
+LABEL org.opencontainers.image.created=$BUILD_DATE
+LABEL org.opencontainers.image.title="syft"
+LABEL org.opencontainers.image.description="CLI tool and library for generating a Software Bill of Materials from container images and filesystems"
+LABEL org.opencontainers.image.source=$VCS_URL
+LABEL org.opencontainers.image.revision=$VCS_REF
+LABEL org.opencontainers.image.vendor="Anchore, Inc."
+LABEL org.opencontainers.image.version=$BUILD_VERSION
+LABEL org.opencontainers.image.licenses="Apache-2.0"
+LABEL io.artifacthub.package.readme-url="https://raw.githubusercontent.com/anchore/syft/main/README.md"
+LABEL io.artifacthub.package.logo-url="https://user-images.githubusercontent.com/5199289/136844524-1527b09f-c5cb-4aa9-be54-5aa92a6086c1.png"
+LABEL io.artifacthub.package.license="Apache-2.0"
+
+ENTRYPOINT ["/syft"]