fix: multiplatform sbom and vulnscan

[JonZeolla]

Contributor Comments

This fixes multiplatform SBOM generation and vuln scanning. Little tricky and some workarounds due to:

• image: multi-manifest index support anchore/stereoscope#176
• Support for image indexes with multiple manifests anchore/stereoscope#175
• Support SBOM creation for container image indexes anchore/syft#1683
• Allow multiple commands in a task for loop go-task/task#1306

Manual Testing

To test this I was running task -v clean; for platform in all linux/arm64 linux/amd64; do PLATFORM=$platform task -v build; PLATFORM=$platform task -v sbom vulnscan; done and you should see:

• Success across the board; no failures with "all" or the specific platform build, sbom, or vulnscan runs
• SBOMs and vuln scan results locally that are not empty and are properly formatted. The size of the arm64 and amd64 images should be different.
• You should see tar files in your local environment for the platform that you aren't on - so that would be the multiplatform build (arm and amd) and the arm (if you are on amd) or the amd (if you are on arm). If you are on arm, the arm build (or amd with amd) should be loaded into your docker daemon; see that with docker image ls | head -10

There may be some other, better and more creative ways to test.

Pull Request Checklist

Thank you for submitting a contribution to the goat!

In order to streamline the review of your contribution we ask that you review and comply with the below requirements:

• Rebase your branch against the latest commit of the target branch
• If you are adding a dependency, please explain how it was chosen
• If manual testing is needed in order to validate the changes, provide a testing plan and the expected results
• If there is an issue associated with your Pull Request, link the issue to the PR.

[ChiefHolland]

LGTM