From c7f8578f38bf7ebdbd71fb46ee2b8d9e2632f42b Mon Sep 17 00:00:00 2001 From: Hugh Brown Date: Tue, 3 Mar 2026 13:39:32 -0700 Subject: [PATCH] security: run Docker containers as non-root user Both backend and frontend Dockerfiles ran all processes as root. Add a dedicated appuser in each runtime stage so container processes run with minimal privileges, limiting blast radius of any container escape. Co-Authored-By: Claude Opus 4.6 --- backend/Dockerfile | 5 +++++ frontend/Dockerfile | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/backend/Dockerfile b/backend/Dockerfile index e521b909..364fc1a6 100644 --- a/backend/Dockerfile +++ b/backend/Dockerfile @@ -46,6 +46,11 @@ COPY backend/templates ./templates # In-repo these live at `scripts/`; runtime path is `/app/scripts`. COPY scripts ./scripts +# Run as non-root user +RUN groupadd --system appgroup && useradd --system --gid appgroup appuser \ + && chown -R appuser:appgroup /app +USER appuser + # Default API port EXPOSE 8000 diff --git a/frontend/Dockerfile b/frontend/Dockerfile index 64c7b179..422032f7 100644 --- a/frontend/Dockerfile +++ b/frontend/Dockerfile @@ -38,6 +38,11 @@ COPY --from=builder /app/package.json ./package.json COPY --from=builder /app/node_modules ./node_modules COPY --from=builder /app/next.config.ts ./next.config.ts +# Run as non-root user +RUN addgroup --system appgroup && adduser --system --ingroup appgroup appuser \ + && chown -R appuser:appgroup /app +USER appuser + EXPOSE 3000 CMD ["npm", "run", "start"]