Fix broken KICS image when version is bumped above v2.1.3

Description

While working on SASTBot: Monthly dependency updates for 17.9 (gitlab-org/security-products/analyzers/kics!142 - merged), we discovered that the KICS binary fails to run in an Alpine image when using versions after v2.1.3.

This is because the CGO_ENABLED=0 flag was removed from the upstream Dockerfile, which changed the build from a pure Go binary without C dependencies to one that relies on system C libraries.

Since the C library used for building the KICS binary (glibc) differs from that used in our Alpine image(musl), this incompatibility causes the KICS binary to fail with missing library error.

Fixes

Approach 1

Create an upstream PR to add the CGO_ENABLED=0 flag back to the Dockerfile to restore static linking. A PR has been submitted.

Status: Awaiting review and acceptance.

Approach 2

Add libc6-compat to our Alpine container to provide the necessary dynamic libraries. This approach introduces critical and medium vulnerabilities, so the task would be to review and ensure these vulnerabilities are not exploitable in our context.

We should adopt this approach if the PR from Approach 1 is not approved by 1 April.

Approach 3

Change our base image from alpine:latest to debian:stable-slim. More context in this comment.

This will have the following impact:

1. Custom before_script configurations will break, although this is considered out of scope according to our official statement of support:

   Out of scope: I run a custom before_script on a security scanning job, and now a package or file I need is no longer available.

2. New vulnerabilities might be introduced (To be confirmed).

Alternatives that were explored and not viable

Use alternate C library libstdc++. This does not work as the missing library error is still present.