Debug Docker images are running as nonroot user

[keliansb]

What happened:

debug Docker images are running as nonroot user.

What you expected to happen:

#3941 included in release 1.27.0 introduced a breaking change by running the image as nonroot user.
#3998 included in release 1.27.1 reverted this change by building a separate nonroot image.
I expect the debug image to run as root, as it did prior to version 1.27.0.

Steps to reproduce the issue:

Run the command whoami inside a container based on the debug image:

docker run --rm --entrypoint whoami ghcr.io/anchore/syft:v1.29.1-debug

The result is nonroot instead of root.

Anything else we need to know?:

Environment:

• Output of syft version:

Application:   syft
Version:       1.29.1
BuildDate:     2025-07-30T18:16:10Z
GitCommit:     386ef842d99a72027fb5fd1085fde87883640eaf
GitDescription: v1.29.1
Platform:      linux/amd64
GoVersion:     go1.24.5
Compiler:      gc
SchemaVersion: 16.0.36

• OS (e.g: cat /etc/os-release or similar):

PRETTY_NAME="Distroless"
NAME="Debian GNU/Linux"
ID="debian"
VERSION_ID="12"
VERSION="Debian GNU/Linux 12 (bookworm)"
HOME_URL="https://github.com/GoogleContainerTools/distroless"
SUPPORT_URL="https://github.com/GoogleContainerTools/distroless/blob/master/README.md"
BUG_REPORT_URL="https://github.com/GoogleContainerTools/distroless/issues/new"

[kzantow]

Question for @anchore/tools : do we want to roll this change back? Do we want yet another tag for deubg-nonroot? Were there any viable workarounds?

[keliansb]

Hello guys, any news on this issue?