cmd: dockerfile: resolve: replace all images with Chainguard's (Wolfi) - (if possible)

[Dentrax]

Description

Introduce a new subcommand something like resolve-chainguard or resolve --chainguard for dockerfile command. It should take Dockerfiles as input and rewrites all the container images with cgr.dev/chainguard/$PACKAGE corresponding.

If package is not exists, we can keep it as-i. Moroever, ask for a prompt like: "Package X not exist, do you want to file an package request proposal on Wolfi?`.

Motivation

Encourge the end users to use Wolfi/Chainguard images and spray the aweraness of those images around with the community.

Algorithm

1. Implement new subcommand
2. Aggregate all image indexes from sources
3. Traverse entire Dockerfile 3.1. Check if current image is exist on source 3.1.1. Check if image version/digest pinned 3.1.1.1. Check If specific tag exist on source 3.1.1.2. Continue if not exist 3.2. Replace the image 3.3. Otherwise, keep it as-is
4. Write new Dockerfile

Source of Truth

To get all available chainguard images, we need some source of truth:

1. Makefile of Wolfi
2. chainguard-images repo
3. Any other way?

Related Work

The idea is similar to PR: dockerfile/resolve, the command actually rewrites all the images to pin their digest. /cc @developer-guy

Open Questions

1. Does it make sense in overall?
2. What if image pinned with its version/digest and that specific version of package is not exist on source? Should we respect only latest tags for this concern?
3. Is cosign right place to implement this? (Since its already widely adopted by open-source projecs) Would wolfictl be more suitable?

Waiting your thoughts!

[haydentherapper]

I don't think Cosign should be opinionated on base image preferences. If you wanted to implement a replace-all-references function, it should be implemented such that you take a path to the image you want, rather than hardcode a preference.

[cpanato]

+1 on @haydentherapper comments