This pull request addresses a file permission issue in the distroless Docker image that occurs when running the container as a non-root user. The fix involves adding the --chown=65532:65532 flag to the COPY instruction in the Dockerfile, ensuring that the /opt/tyk-gateway directory is owned by the non-root user. This prevents the mkdir /opt/tyk-gateway/middleware/bundles: permission denied error at runtime.

Files Changed Analysis

• ci/Dockerfile.distroless: Modified to change file ownership during the Docker build process.
  • 1 addition, 1 deletion.

Architecture & Impact Assessment

• Accomplishment: Fixes a runtime permission error for users following security best practices by running the Tyk Gateway container with a non-root user.
• Technical Change: Introduces the --chown flag in the COPY command within ci/Dockerfile.distroless to set the owner of the application files to the non-root user (UID 65532).
• Affected Components: This change impacts the build process of the distroless Docker image for Tyk Gateway. It directly affects the runtime environment of the container, specifically when a non-root security context is enforced.

Scope Discovery & Context Expansion

• The change is highly targeted, affecting only the distroless Docker image build. The error message mkdir .../middleware/bundles: permission denied indicates a failure during the gateway's initialization when it attempts to write middleware bundle files.
• This fix aligns the file system permissions with the intended non-root execution user of the container, a common practice for enhancing security.
• While the change is isolated to one file, it suggests a broader operational context of running Tyk in secured, production-like environments. Other Dockerfiles or deployment scripts in the repository might warrant a review for similar permission issues.

Powered by Visor from Probelabs

Last updated: 2026-04-15T10:35:28.132Z | Triggered by: pr_opened | Commit: 185b531

💡 TIP: You can chat with Visor using /visor ask <your question>

✅ Security Check Passed

No security issues found – changes LGTM.

✅ Security Check Passed

No security issues found – changes LGTM.

Architecture Issues (1)

</details>
</div></td>
    </tr>
  </tbody>
</table>
<!-- visor:section-end id="architecture" -->

<!-- visor:section={"id":"performance","revision":2} -->
### ✅ Performance Check Passed

**No performance issues found – changes LGTM.**
<!-- visor:section-end id="performance" -->

<!-- visor:section={"id":"quality","revision":2} -->

<!-- visor:section-end id="quality" -->

<!-- visor:thread-end key="TykTechnologies/tyk#8019@185b531" -->

---

*Powered by [Visor](https://probelabs.com/visor) from [Probelabs](https://probelabs.com)*

*Last updated: 2026-04-15T10:35:08.774Z | Triggered by: pr_opened | Commit: 185b531*

💡 **TIP:** You can chat with Visor using `/visor ask <your question>`
<!-- /visor-comment-id:visor-thread-review-TykTechnologies/tyk#8019 -->

API Changes

no api changes detected

🚨 Jira Linter Failed

Commit: 185b531
Failed at: 2026-04-15 10:48:56 UTC

The Jira linter failed to validate your PR. Please check the error details below:

failed to validate branch and PR title rules: branch name 'hotfix/fix-nonroot-permissions' must contain a valid Jira ticket ID (e.g., ABC-123)

Next Steps

• Ensure your branch name contains a valid Jira ticket ID (e.g., ABC-123)
• Verify your PR title matches the branch's Jira ticket ID
• Check that the Jira ticket exists and is accessible

This comment will be automatically deleted once the linter passes.