Skip to content

Commit 57a5c8d

Browse files
rehanshaikh1207rehanshaikh1207
authored
Improve Container Security with Non-Root User (appuser) (#427)
* chore: add non-root user to Dockerfile for security hardening * fix: install pipenv dependencies as appuser to resolve vulture command not found * feat: enhance Dockerfile security hardening with coverage output permissions * fix: resolve permission issues for non-root user in all environments * resolve permission error for non-root user in Dockerfile and compose file * fix: use named volume for test output to avoid permission issues * remove unnecessary user switching in Dockerfile * refactor(docker): use named group 'app' for better readability - Change group creation from numeric GID to named 'app' group - Improve code readability and maintainability - Keep same GID (999) for compatibility
1 parent dbc7119 commit 57a5c8d

File tree

2 files changed

+18
-1
lines changed

2 files changed

+18
-1
lines changed

Dockerfile

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,5 +46,17 @@ ARG APP_ENV
4646

4747
RUN npm run build
4848

49+
# Create non-root user for security - use consistent UID/GID across environments
50+
RUN groupadd -r -g 999 app && \
51+
useradd -r -u 999 -g 999 -m appuser
52+
53+
# Create directories and set ownership for non-root user to write files
54+
RUN mkdir -p /opt/app/tmp /opt/app/logs /opt/app/output /home/appuser/.cache /app/output && \
55+
chown -R appuser:app /opt/app /home/appuser /app/output
56+
57+
# Switch to appuser and install dependencies
58+
USER appuser
59+
RUN pipenv install --dev
60+
4961
CMD [ "npm", "start" ]
5062

docker-compose.test.yml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,8 +16,9 @@ services:
1616
condition: service_started
1717
temporal:
1818
condition: service_healthy
19+
# Use named volume to avoid permission issues with bind mounts
1920
volumes:
20-
- ./output:/app/output
21+
- test_output:/app/output
2122

2223
app-db:
2324
image: mongo:5.0
@@ -61,3 +62,7 @@ services:
6162
POSTGRES_USER: 'temporal'
6263
ports:
6364
- '5432:5432'
65+
66+
# Define named volume for test output
67+
volumes:
68+
test_output:

0 commit comments

Comments
 (0)