Skip to content

fix(docker): run the default image as a non-root user#475

Open
NickAldewereld wants to merge 1 commit into
CorentinTh:mainfrom
NickAldewereld:fix/docker-non-root
Open

fix(docker): run the default image as a non-root user#475
NickAldewereld wants to merge 1 commit into
CorentinTh:mainfrom
NickAldewereld:fix/docker-non-root

Conversation

@NickAldewereld

Copy link
Copy Markdown

The default Dockerfile runs the container as root (only Dockerfile.rootless drops privileges, and it isn't the image the reference docker-compose.yml uses).

  • Run the final image as the built-in unprivileged node user (chown /app + USER node).
  • Add a HEALTHCHECK hitting /api/ping.
  • Exclude .git / .github from the build context in .dockerignore (the builder stage does COPY . .).
  • Add no-new-privileges, cap_drop: [ALL] and read_only (with a tmpfs for /tmp) to the reference compose file, plus a commented-out example of setting a strong AUTHENTICATION_JWT_SECRET.

No application behaviour changes.

Run as the built-in unprivileged `node` user, add a HEALTHCHECK, exclude
.git/.github from the build context, and add no-new-privileges / cap_drop /
read_only to the reference compose file.
@sonarqubecloud

sonarqubecloud Bot commented Jul 8, 2026

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant