build: add distroless image variant

[roidelapluie]

The distroless image runs as nonroot (UID 65532) without a shell, reducing the attack surface compared to the busybox-based image.

Pull Request Checklist

Please check all the applicable boxes.

• Please list all open issue(s) discussed with maintainers related to this change
  • Fixes #
• Is this a new Receiver integration?
  • I have already tried to use the Webhook Receiver Integration and 3rd party integrations before adding this new Receiver Integration
• Is this a bugfix?
  • I have added tests that can reproduce the bug which pass with this bugfix applied
• Is this a new feature?
  • I have added tests that test the new feature's functionality
• Does this change affect performance?
  • I have provided benchmarks comparison that shows performance is improved or is not degraded
    • You can use benchstat to compare benchmarks
  • I have added new benchmarks if required or requested by maintainers
• Is this a breaking change?
  • My changes do not break the existing cluster messages
  • My changes do not break the existing api
• I have added/updated the required documentation
• I have signed-off my commits
• I will follow best practices for contributing to this project

Which user-facing changes does this PR introduce?

[FEATURE] Alertmanager: Add a Distroless container image

Summary by CodeRabbit

• Chores
  • Added support for distroless, non-root container image deployment with multi-architecture support, providing a lightweight and security-hardened containerization option for Alertmanager.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new Dockerfile.distroless builds a minimal, non-root Alertmanager container image using distroless base images. The Dockerfile accepts build-time architecture and OS parameters, selects the corresponding distroless base, applies OCI metadata labels, copies pre-built Alertmanager binaries and configuration from build output, and configures the container to start Alertmanager with designated config and storage paths.

Changes

Distroless Container Image

Layer / File(s)	Summary
Distroless base image and architecture selection Dockerfile.distroless	Distroless base image is parameterized by CPU architecture via the DISTROLESS_ARCH build argument and selected as the non-root runtime base.
Build arguments and container metadata labels Dockerfile.distroless	Build-time ARCH and OS arguments are defined, and Open Containers Initiative labels are set for image authorship, vendor, title, description, documentation, licensing, and variant identification.
Binary and configuration staging with runtime setup Dockerfile.distroless	Alertmanager YAML configuration, license/notice files, and compiled binaries (alertmanager and amtool) are copied from OS/arch-specific build directories. Working directory is set, port 9093 is exposed, and the container entry point and startup command are configured to launch Alertmanager.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adding a distroless container image variant for Alertmanager build processes.
Description check	✅ Passed	The description provides context about the distroless image benefits (nonroot UID 65532, no shell, reduced attack surface) and includes a release notes entry, but does not complete or address most checklist items.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile.distroless`:
- Around line 4-6: Dockerfile.distroless currently uses the distroless base
image but lacks an explicit USER instruction required by DS-0002; add an
explicit "USER 65532:65532" directive in Dockerfile.distroless just before the
final ENTRYPOINT/CMD instructions (i.e., insert USER 65532:65532 in the
Dockerfile.distroless around the end of the file) so the Dockerfile contains an
explicit non-root USER even though the base image already sets one.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 1b1833eb-6206-4534-ada7-b5f124b747b8

📥 Commits

Reviewing files that changed from the base of the PR and between 36afed4 and 4aa7711.

📒 Files selected for processing (1)

• Dockerfile.distroless

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

Does Trivy misconfiguration rule DS-0002 ("Image user should not be 'root'") require an explicit USER instruction in the Dockerfile even when the base image already sets a non-root user?

💡 Result:

Trivy misconfiguration rule DS-0002 (also known as AVD-DS-0002) is designed to ensure that containers do not run as the root user [1][2]. The rule specifically checks for the presence of a USER instruction in the Dockerfile [1][3]. Historically, this rule has been interpreted by the scanner as requiring an explicit USER instruction within the Dockerfile itself, regardless of whether the base image defines a non-root user [1][4]. If the Dockerfile lacks a USER instruction, Trivy may flag a DS-0002 violation even if the resulting image is effectively configured to run as a non-root user due to the base image settings [1][4]. Users have reported this behavior as a pain point in various scenarios, such as when using base images that already specify a non-root user [1][3]. While updates to Trivy have occasionally introduced regressions or changes in how strictly this is enforced, the rule's primary logic remains focused on validating the Dockerfile configuration [1][5][4]. If you encounter this issue, you have a few options: 1. Explicitly add a USER instruction to your Dockerfile (e.g., USER ) to satisfy the scanner [6][7]. 2. If you are certain your image is secure, you can ignore the finding using a.trivyignore.yaml file [8]. Inline comments for ignoring this specific rule are generally not supported because the check is triggered by the absence of the instruction [8]. 3. Ensure you are using the latest version of Trivy, as the maintainers continue to refine how the scanner interprets image metadata versus Dockerfile content [1][5].

Citations:

• 1: Trivy 0.49.0 regression: image misconfiguration incorrectly reports ds002: Specify at least 1 USER command in Dockerfile with non-root user as argument aquasecurity/trivy#6069
• 2: https://trivy.dev/docs/latest/configuration/filtering/
• 3: Image misconfiguration fails scanning Iron Bank images aquasecurity/trivy#9484
• 4: Docker multistage build using single USER in the last stage produces MISCONF DS002 aquasecurity/trivy#1620
• 5: bug(misconf): AVD-DS-0002 not detected against image aquasecurity/trivy#8406
• 6: https://dev.to/parag477/how-to-write-a-production-ready-dockerfile-with-examples-for-nodejs-and-python-o1d
• 7: https://dev.to/raju_dandigam/optimizing-docker-images-for-typescript-ai-agents-with-dive-and-multi-stage-builds-3gho
• 8: https://trivy.dev/docs/latest/guide/scanner/misconfiguration/config/config/

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
ls -la
find . -maxdepth 4 -name 'Dockerfile.distroless' -print
if [ -f Dockerfile.distroless ]; then
  echo '--- Dockerfile.distroless (first 120 lines) ---'
  cat -n Dockerfile.distroless | head -n 120
else
  # if not at repo root, print the first match
  f="$(find . -name 'Dockerfile.distroless' -print -quit)"
  echo "--- Found $f ---"
  cat -n "$f" | head -n 200
fi

Repository: prometheus/alertmanager

Length of output: 5440

---

Add an explicit USER in Dockerfile.distroless to satisfy DS-0002

Dockerfile.distroless uses gcr.io/distroless/static-debian13:nonroot-${DISTROLESS_ARCH} but contains no USER directive; Trivy’s DS-0002 logic checks for an explicit USER instruction in the Dockerfile (even when the base image already sets a non-root user). Add USER 65532:65532 before the ENTRYPOINT/CMD (around lines 25–29).

Suggested patch

 WORKDIR    /alertmanager
 EXPOSE     9093
+USER       65532:65532
 ENTRYPOINT [ "/bin/alertmanager" ]
 CMD        [ "--config.file=/etc/alertmanager/alertmanager.yml", \
              "--storage.path=/alertmanager" ]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.distroless` around lines 4 - 6, Dockerfile.distroless currently
uses the distroless base image but lacks an explicit USER instruction required
by DS-0002; add an explicit "USER 65532:65532" directive in
Dockerfile.distroless just before the final ENTRYPOINT/CMD instructions (i.e.,
insert USER 65532:65532 in the Dockerfile.distroless around the end of the file)
so the Dockerfile contains an explicit non-root USER even though the base image
already sets one.