security: run Docker containers as non-root user

Both backend and frontend Dockerfiles ran all processes as root. Add a dedicated appuser in each runtime stage so container processes run with minimal privileges, limiting blast radius of any container escape. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-03 13:39:32 -07:00
parent 4257c08ba9
commit c7f8578f38
2 changed files with 10 additions and 0 deletions
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -46,6 +46,11 @@ COPY backend/templates ./templates
 # In-repo these live at `scripts/`; runtime path is `/app/scripts`.
 COPY scripts ./scripts

+# Run as non-root user
+RUN groupadd --system appgroup && useradd --system --gid appgroup appuser \
+  && chown -R appuser:appgroup /app
+USER appuser
+
 # Default API port
 EXPOSE 8000

--- a/frontend/Dockerfile
+++ b/frontend/Dockerfile
@@ -38,6 +38,11 @@ COPY --from=builder /app/package.json ./package.json
 COPY --from=builder /app/node_modules ./node_modules
 COPY --from=builder /app/next.config.ts ./next.config.ts

+# Run as non-root user
+RUN addgroup --system appgroup && adduser --system --ingroup appgroup appuser \
+  && chown -R appuser:appgroup /app
+USER appuser
+
 EXPOSE 3000

 CMD ["npm", "run", "start"]