Allow source type input via CLI flag (not scheme)

[wagoodman]

What would you like to be added:

Today we allow for input like this:

syft registry:my/image:latest

Which forces syft to reach out to grab my/image:latest directly from the registry, not through the docker daemon.

It would be great to add an optional --from flag that takes what we allow today as a scheme but instead as a CLI flag.

Note: we could allow for a hold over period that, if --from is empty, we fall back to todays scheme parsing approach. If someone attempts to use a scheme and specify --from an error is returned.

Why is this needed:

There are known error cases in specific images that have always caused issues and complexities when parsing the scheme (more recently #1695 ). This moves syft forward to act more like anchorectl while removing these odd cases and code complexity (over time).

[willmurphyscode]

At this point, I assume it's not possible to accept the breaking change of making the source want a proper URI scheme like file://some-directory or docker://docker.io/library/alpine:latest or whatever? Would that remove enough ambiguity to solve all the use cases that --from is meant to solve? In other words, am I right in thinking that --from is a way to work around the fact that URI's with schemes were not used initially?

[kzantow]

Just an observation about the URI idea: something like git://https://github.com/anchore/syft is a valid URI, but looks a little weird.

In another tool, have a keyword like --from to make the source very explicit and it seems to work pretty well. I think it fits a bit with --platform and other flags we already have that affect fetching from the source. I'm 👍 with the idea.