[TT-16950] fix: set nonroot ownership on application files #8019
probelabs / Visor: architecture
succeeded
Apr 15, 2026 in 42s
✅ Check Passed (Warnings Found)
architecture check passed. Found 1 warning, but fail_if condition was not met.
Details
📊 Summary
- Total Issues: 1
- Warning Issues: 1
🔍 Failure Condition Results
Passed Conditions
- global_fail_if: Condition passed
Issues by Category
Architecture (1)
⚠️ ci/Dockerfile.distroless:17 - The UID and GID65532are hard-coded in theCOPYinstruction. This couples the image to a specific user ID, which can cause permission issues in environments that enforce different UIDs for security reasons (e.g., OpenShift). This reduces the image's portability and flexibility.
Powered by Visor from Probelabs
💡 TIP: You can chat with Visor using /visor ask <your question>
Annotations
Check warning on line 17 in ci/Dockerfile.distroless
probelabs / Visor: architecture
architecture Issue
The UID and GID `65532` are hard-coded in the `COPY` instruction. This couples the image to a specific user ID, which can cause permission issues in environments that enforce different UIDs for security reasons (e.g., OpenShift). This reduces the image's portability and flexibility.
Raw output
To make the image more adaptable, define the UID and GID using build arguments (`ARG`) and reference them in the `--chown` flag. This allows the user/group to be configured at build time. For example:
```dockerfile
ARG TYK_UID=65532
ARG TYK_GID=65532
COPY --chown=${TYK_UID}:${TYK_GID} --from=deb /opt/tyk-gateway /opt/tyk-gateway
```
Loading