fix: replace Alpine runtime with distroless to eliminate BusyBox CVEs

[MaheshYadlapati]

Fixes #1716

Problem

The container image uses alpine:3.21.2 as the runtime base, which
bundles BusyBox. Two CVEs are present:

• CVE-2022-28391 (CVSS 8.8) — RCE via BusyBox netstat
• CVE-2022-30065 — Use-after-free in BusyBox awk

Fix

driftctl is a statically compiled Go binary with no runtime dependencies
on Alpine or BusyBox. Switching to gcr.io/distroless/static eliminates
the entire BusyBox attack surface.

Changes:

• Replace FROM alpine:3.21.2 with FROM gcr.io/distroless/static
• Remove RUN chmod +x — unnecessary since binary permissions are
  preserved from the builder stage and distroless has no shell

The builder stage (golang:1.23) is unchanged.

Testing

Image builds and runs identically — only the runtime base layer changes.
The binary entrypoint is unaffected.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[MaheshYadlapati]

Hi team, raised this PR to address #1716. @ioannacaba, would really appreciate a review and approval when you get a chance.