support taz.gz compressing

[tomerse-sg]

What would you like to be added: Hi, today when I have large image I sometimes create a .tar, and after that compress it as .gz in order to reduce the size. however, when I run syft it returns an empty artifacts, like here:

  "artifacts": [],
  "artifactRelationships": [],

I know that if I do: docker save -o <image_name>.tar.gz <image_name> it does works. The issue happens because of the structure of the created file.

for example: The first struct will work fine, and the 2nd one will return an empty SBOM.

Why is this needed: Will be helpful in order to handle large images. Additional context:

[tgerla]

Hey @tomerse-sg, thanks for the suggestion. We'll put this in the backlog for future implementation. If you're interested in adding this feature let us know and we can point you in the right direction.

Also, we did a little bit of looking and found that if you ask Docker to save a file as .tar.gz, it simply saves it as a tar format, without the gz compression, regardless of the filename or extension you specify. So, that's why scanning the file right out of Docker works.

[mrjoel]

I'll add a "me too" to this issue and follow it. We do a fair amount of offline oci-archive transfers and having them compressed with zstd makes it more convenient. Further, on the receiving side, doing a podman pull oci-archive:some-image.tar.zst now works transparently, so it'd be nice to be able to point syft to the same archive without additional processing/unpacking.