fix: provide separate nonroot image (#3998)

Signed-off-by: Keith Zantow <kzantow@gmail.com>
2025-11-17 00:13:15 +01:00 · 2025-06-11 17:00:55 -04:00 · 2025-06-11 17:00:55 -04:00 · 10f0631710
commit 10f0631710
parent 96c34ffc43
3 changed files with 136 additions and 26 deletions
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -126,6 +126,59 @@ dockers:
      - "--build-arg=VCS_REF={{.FullCommit}}"
      - "--build-arg=VCS_URL={{.GitURL}}"

+  # nonroot images...
+  - image_templates:
+      - anchore/syft:{{.Tag}}-nonroot-amd64
+      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-amd64
+    goarch: amd64
+    dockerfile: Dockerfile.nonroot
+    use: buildx
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--build-arg=BUILD_DATE={{.Date}}"
+      - "--build-arg=BUILD_VERSION={{.Version}}"
+      - "--build-arg=VCS_REF={{.FullCommit}}"
+      - "--build-arg=VCS_URL={{.GitURL}}"
+
+  - image_templates:
+      - anchore/syft:{{.Tag}}-nonroot-arm64v8
+      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-arm64v8
+    goarch: arm64
+    dockerfile: Dockerfile.nonroot
+    use: buildx
+    build_flag_templates:
+      - "--platform=linux/arm64/v8"
+      - "--build-arg=BUILD_DATE={{.Date}}"
+      - "--build-arg=BUILD_VERSION={{.Version}}"
+      - "--build-arg=VCS_REF={{.FullCommit}}"
+      - "--build-arg=VCS_URL={{.GitURL}}"
+
+  - image_templates:
+      - anchore/syft:{{.Tag}}-nonroot-ppc64le
+      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-ppc64le
+    goarch: ppc64le
+    dockerfile: Dockerfile.nonroot
+    use: buildx
+    build_flag_templates:
+      - "--platform=linux/ppc64le"
+      - "--build-arg=BUILD_DATE={{.Date}}"
+      - "--build-arg=BUILD_VERSION={{.Version}}"
+      - "--build-arg=VCS_REF={{.FullCommit}}"
+      - "--build-arg=VCS_URL={{.GitURL}}"
+
+  - image_templates:
+      - anchore/syft:{{.Tag}}-nonroot-s390x
+      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-s390x
+    goarch: s390x
+    dockerfile: Dockerfile.nonroot
+    use: buildx
+    build_flag_templates:
+      - "--platform=linux/s390x"
+      - "--build-arg=BUILD_DATE={{.Date}}"
+      - "--build-arg=BUILD_VERSION={{.Version}}"
+      - "--build-arg=VCS_REF={{.FullCommit}}"
+      - "--build-arg=VCS_URL={{.GitURL}}"
+
  # debug images...
  - image_templates:
      - anchore/syft:{{.Tag}}-debug-amd64
@ -180,7 +233,6 @@ dockers:
      - "--build-arg=VCS_URL={{.GitURL}}"

 docker_manifests:
-  # anchore/syft manifests...
  - name_template: anchore/syft:latest
    image_templates:
      - anchore/syft:{{.Tag}}-amd64
@ -188,6 +240,13 @@ docker_manifests:
      - anchore/syft:{{.Tag}}-ppc64le
      - anchore/syft:{{.Tag}}-s390x

+  - name_template: ghcr.io/anchore/syft:latest
+    image_templates:
+      - ghcr.io/anchore/syft:{{.Tag}}-amd64
+      - ghcr.io/anchore/syft:{{.Tag}}-arm64v8
+      - ghcr.io/anchore/syft:{{.Tag}}-ppc64le
+      - ghcr.io/anchore/syft:{{.Tag}}-s390x
+
  - name_template: anchore/syft:{{.Tag}}
    image_templates:
      - anchore/syft:{{.Tag}}-amd64
@ -195,28 +254,6 @@ docker_manifests:
      - anchore/syft:{{.Tag}}-ppc64le
      - anchore/syft:{{.Tag}}-s390x

-  - name_template: anchore/syft:debug
-    image_templates:
-      - anchore/syft:{{.Tag}}-debug-amd64
-      - anchore/syft:{{.Tag}}-debug-arm64v8
-      - anchore/syft:{{.Tag}}-debug-ppc64le
-      - anchore/syft:{{.Tag}}-debug-s390x
-
-  - name_template: anchore/syft:{{.Tag}}-debug
-    image_templates:
-      - anchore/syft:{{.Tag}}-debug-amd64
-      - anchore/syft:{{.Tag}}-debug-arm64v8
-      - anchore/syft:{{.Tag}}-debug-ppc64le
-      - anchore/syft:{{.Tag}}-debug-s390x
-
-  # ghcr.io/anchore/syft manifests...
-  - name_template: ghcr.io/anchore/syft:latest
-    image_templates:
-      - ghcr.io/anchore/syft:{{.Tag}}-amd64
-      - ghcr.io/anchore/syft:{{.Tag}}-arm64v8
-      - ghcr.io/anchore/syft:{{.Tag}}-ppc64le
-      - ghcr.io/anchore/syft:{{.Tag}}-s390x
-
  - name_template: ghcr.io/anchore/syft:{{.Tag}}
    image_templates:
      - ghcr.io/anchore/syft:{{.Tag}}-amd64
@ -224,6 +261,43 @@ docker_manifests:
      - ghcr.io/anchore/syft:{{.Tag}}-ppc64le
      - ghcr.io/anchore/syft:{{.Tag}}-s390x

+  # nonroot images...
+  - name_template: anchore/syft:nonroot
+    image_templates:
+      - anchore/syft:{{.Tag}}-nonroot-amd64
+      - anchore/syft:{{.Tag}}-nonroot-arm64v8
+      - anchore/syft:{{.Tag}}-nonroot-ppc64le
+      - anchore/syft:{{.Tag}}-nonroot-s390x
+
+  - name_template: ghcr.io/anchore/syft:nonroot
+    image_templates:
+      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-amd64
+      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-arm64v8
+      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-ppc64le
+      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-s390x
+
+  - name_template: anchore/syft:{{.Tag}}-nonroot
+    image_templates:
+      - anchore/syft:{{.Tag}}-nonroot-amd64
+      - anchore/syft:{{.Tag}}-nonroot-arm64v8
+      - anchore/syft:{{.Tag}}-nonroot-ppc64le
+      - anchore/syft:{{.Tag}}-nonroot-s390x
+
+  - name_template: ghcr.io/anchore/syft:{{.Tag}}-nonroot
+    image_templates:
+      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-amd64
+      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-arm64v8
+      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-ppc64le
+      - ghcr.io/anchore/syft:{{.Tag}}-nonroot-s390x
+
+  # debug images...
+  - name_template: anchore/syft:debug
+    image_templates:
+      - anchore/syft:{{.Tag}}-debug-amd64
+      - anchore/syft:{{.Tag}}-debug-arm64v8
+      - anchore/syft:{{.Tag}}-debug-ppc64le
+      - anchore/syft:{{.Tag}}-debug-s390x
+
  - name_template: ghcr.io/anchore/syft:debug
    image_templates:
      - ghcr.io/anchore/syft:{{.Tag}}-debug-amd64
@ -231,6 +305,13 @@ docker_manifests:
      - ghcr.io/anchore/syft:{{.Tag}}-debug-ppc64le
      - ghcr.io/anchore/syft:{{.Tag}}-debug-s390x

+  - name_template: anchore/syft:{{.Tag}}-debug
+    image_templates:
+      - anchore/syft:{{.Tag}}-debug-amd64
+      - anchore/syft:{{.Tag}}-debug-arm64v8
+      - anchore/syft:{{.Tag}}-debug-ppc64le
+      - anchore/syft:{{.Tag}}-debug-s390x
+
  - name_template: ghcr.io/anchore/syft:{{.Tag}}-debug
    image_templates:
      - ghcr.io/anchore/syft:{{.Tag}}-debug-amd64
--- a/8
+++ b/8
@ -1,12 +1,14 @@
-FROM gcr.io/distroless/static-debian12:nonroot
+FROM gcr.io/distroless/static-debian12:latest AS build
+
+FROM scratch
+# needed for version check HTTPS request
+COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt

 # create the /tmp dir, which is needed for image content cache
 WORKDIR /tmp

 COPY syft /

-USER nonroot
-
 ARG BUILD_DATE
 ARG BUILD_VERSION
 ARG VCS_REF
--- a/Dockerfile.nonroot
+++ b/Dockerfile.nonroot
@ -0,0 +1,27 @@
+FROM gcr.io/distroless/static-debian12:nonroot
+
+# create the /tmp dir, which is needed for image content cache
+WORKDIR /tmp
+
+COPY syft /
+
+USER nonroot
+
+ARG BUILD_DATE
+ARG BUILD_VERSION
+ARG VCS_REF
+ARG VCS_URL
+
+LABEL org.opencontainers.image.created=$BUILD_DATE
+LABEL org.opencontainers.image.title="syft"
+LABEL org.opencontainers.image.description="CLI tool and library for generating a Software Bill of Materials from container images and filesystems"
+LABEL org.opencontainers.image.source=$VCS_URL
+LABEL org.opencontainers.image.revision=$VCS_REF
+LABEL org.opencontainers.image.vendor="Anchore, Inc."
+LABEL org.opencontainers.image.version=$BUILD_VERSION
+LABEL org.opencontainers.image.licenses="Apache-2.0"
+LABEL io.artifacthub.package.readme-url="https://raw.githubusercontent.com/anchore/syft/main/README.md"
+LABEL io.artifacthub.package.logo-url="https://user-images.githubusercontent.com/5199289/136844524-1527b09f-c5cb-4aa9-be54-5aa92a6086c1.png"
+LABEL io.artifacthub.package.license="Apache-2.0"
+
+ENTRYPOINT ["/syft"]