Hello, and thanks for reading.

Scratch image doesn't work because you need bash to run the script. A scratch image contain nothing.

Of course, the best practice is to use scratch image if your app requires only this. In this case, you install another things and you increase the attack surface.

It's a matter of tradeoffs.

Same things for the responsibility: Either you improve your code, OR, you wrap your code in something else; and the responsibility belongs to the wrapper, not to your code.