ChatCLI Hardens Container Security: Swaps Alpine for Distroless, Adds Trivy Gates, and Speeds Multi-Arch Builds

A major container security overhaul has been implemented, fundamentally shifting from reactive patching to a hardened, proactive posture. The ChatCLI application image has been migrated from Alpine Linux to Google's Distroless base, eliminating all OS packages and reducing the attack surface to a single, statically-linked Go binary. This move aims for a zero-CVE runtime. For the Operator image, which remains on a pinned Alpine version, immediate patches were applied for critical vulnerabilities, with future updates now automated via Dependabot.

The security hardening extends beyond the base images to the entire development and release lifecycle. Trivy vulnerability scanning is now enforced on every pull request and weekly, with results uploaded to GitHub's Security tab. Crucially, a new Trivy gate has been added to the release pipeline; it scans the final image digest *before* creating multi-arch manifests, and any HIGH or CRITICAL CVEs will block the release entirely. This creates a mandatory security checkpoint that prevents vulnerable images from being published.

Parallel to the security upgrades, the build process itself has been optimized for performance and reliability. The team replaced a slow, QEMU-emulated multi-architecture build with parallel native builds on dedicated AMD64 and ARM64 runners. This architectural change has slashed estimated build times from roughly 18 minutes down to between 5 and 7 minutes, significantly accelerating the CI/CD pipeline while maintaining the new security rigor.