This is a confusing error message:
* Distroless is based on Debian packages, not on Fedora/Redhat/Centos packages, so there is not a 1-to-1 correspondence between the packages.
* The "static" image contains NO shared libraries or executable binaries of any kind, if I recall correctly. It just contains some configuration files, root public key certificates, and timezone information.
I suspect likely the issue is whatever is being installed on TOP of this base image. Can you provide any more details about what exactly this security scanner is reporting as an issue?
You may also want to try "
gcr.io/distroless/static-debian10:nonroot" which at least contains slightly newer versions of some of those configuration files, although again I would be surprised if this could matter.
Good luck,
Evan