Skip to content

[TT-16950] fix: make Docker images backward compatible with runAsUser: 1000 #8103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
buger merged 1 commit into from
Apr 21, 2026

fix: make Docker images backward compatible with runAsUser: 1000

b696949
Select commit
Loading
Failed to load commit list.
Merged

[TT-16950] fix: make Docker images backward compatible with runAsUser: 1000 #8103

fix: make Docker images backward compatible with runAsUser: 1000
b696949
Select commit
Loading
Failed to load commit list.
probelabs / Visor: security succeeded Apr 20, 2026 in 1m 26s

✅ Check Passed (Warnings Found)

security check passed. Found 1 warning, but fail_if condition was not met.

Details

📊 Summary

  • Total Issues: 1
  • Warning Issues: 1

🔍 Failure Condition Results

Passed Conditions

  • global_fail_if: Condition passed

Issues by Category

Security (1)

  • ⚠️ ci/Dockerfile.distroless:14 - The command chmod -R a+rX /opt/tyk-gateway/ recursively makes all files in the gateway's installation directory world-readable. If this directory contains any sensitive files with intentionally restrictive permissions (e.g., private keys with permissions 0600), this change will expose them to any user within the container. This could lead to sensitive data exposure if another vulnerability allows code execution as a different user within the container, or if the application itself has a file disclosure vulnerability.

Powered by Visor from Probelabs

💡 TIP: You can chat with Visor using /visor ask <your question>

Annotations

Check warning on line 15 in ci/Dockerfile.distroless

See this annotation in the file changed.

@probelabs probelabs / Visor: security

security Issue 

The command `chmod -R a+rX /opt/tyk-gateway/` recursively makes all files in the gateway's installation directory world-readable. If this directory contains any sensitive files with intentionally restrictive permissions (e.g., private keys with permissions `0600`), this change will expose them to any user within the container. This could lead to sensitive data exposure if another vulnerability allows code execution as a different user within the container, or if the application itself has a file disclosure vulnerability.
Raw output 
Instead of making all files world-readable, adopt a more granular permission model based on the principle of least privilege. If specific non-root users need access, consider using group permissions. For example, create a dedicated group and set group-read permissions on the files (`chmod -R g+rX`). This avoids exposing potentially sensitive files to all users in the container. If the goal is to support arbitrary user IDs (as is common in some container platforms), ensure that no sensitive files with secrets are packaged within the image with overly permissive file modes.
View more details on probelabs