Usually, busybox has symlinks for tools to the busybox binary. Is COPY doing the right thing here?

This is true. Because the busybox is named rm within the container, it just works. Do you see any issue with this approach? If so, I can look at alternatives.

No was just curious how it is handled in the distroless container. If it works then all good.

I am not following why we are making this change, and how it differs from just using the distroless -dev tag as our base. My understanding is the distroless-dev tags include busybox and the sleep command. If we end up copying the busybox binary to the final image (as is done here), isn't the final SBOM nearly the same?

Please let me know if I am missing something.

@cdesiniotis It does differ because the binary relies on the name to determine its persona (i.e. rm vs ls etc). However, I concluded it might be a security risk and decided to build rm from source instead.

I am not following why we are making this change, and how it differs from just using the distroless -dev tag as our base. My understanding is the distroless-dev tags include busybox and the sleep command. If we end up copying the busybox binary to the final image (as is done here), isn't the final SBOM nearly the same?

Please let me know if I am missing something.