security: run Docker containers as non-root user
Both backend and frontend Dockerfiles ran all processes as root. Add a dedicated appuser in each runtime stage so container processes run with minimal privileges, limiting blast radius of any container escape. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Hugh Brown
committed by
Abhimanyu Saharan
Abhimanyu Saharan
parent
4257c08ba9
commit
c7f8578f38
@@ -46,6 +46,11 @@ COPY backend/templates ./templates
|
||||
# In-repo these live at `scripts/`; runtime path is `/app/scripts`.
|
||||
COPY scripts ./scripts
|
||||
|
||||
# Run as non-root user
|
||||
RUN groupadd --system appgroup && useradd --system --gid appgroup appuser \
|
||||
&& chown -R appuser:appgroup /app
|
||||
USER appuser
|
||||
|
||||
# Default API port
|
||||
EXPOSE 8000
|
||||
|
||||
|
||||
Reference in New Issue
Block a user