syft pushes multiple tags for the same image id

[alfredodeza]

From @pvnovarese on slack (internal Slack link):

I have alpine:latest on my local machine. I retagged it and pushed it to a harbor registry. Then, when I did syft alpine:latest and pushed it to enterprise, it pushed BOTH tags (the docker hub one and the harbor registry one).

I think this sort of makes sense in some cases, eg in the context that I might have a single image with the tags e.g. image:v1.0 and image:latest but doing it quietly (there was no output that indicated it was doing this) caught me off guard

like maybe a flag --include-all-tags-wtih-same-image-id or something

tl;dr: The current implementation has a non-obvious behavior. If the user has multiple tags for an image locally, but their syft command refers to one tag in particular, all local tags are sent to Anchore Engine. This should not be the default behavior; however, we should consider making it possible to include all tags at the user's request.

[spiffcs]

Moved this to our internal board since we're thinking about removing the import functionality from syft altogether for future releases.