Skip to content

[TT-17009] make Docker images backward compatible with runAsUser: 1000 #8104

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
buger merged 1 commit into from
Apr 20, 2026

fix: make Docker images backward compatible with runAsUser: 1000

d383920
Select commit
Loading
Failed to load commit list.
Merged

[TT-17009] make Docker images backward compatible with runAsUser: 1000 #8104

fix: make Docker images backward compatible with runAsUser: 1000
d383920
Select commit
Loading
Failed to load commit list.
probelabs / Visor: security succeeded Apr 20, 2026 in 1m 31s

✅ Check Passed (Warnings Found)

security check passed. Found 1 warning, but fail_if condition was not met.

Details

📊 Summary

  • Total Issues: 1
  • Warning Issues: 1

🔍 Failure Condition Results

Passed Conditions

  • global_fail_if: Condition passed

Issues by Category

Security (1)

  • ⚠️ ci/Dockerfile.distroless:15 - The command chmod -R a+rX /opt/tyk-gateway/ makes all files in the application directory world-readable. While this enables running the container with an arbitrary user ID, it weakens in-container security. If a vulnerability allows an attacker to execute code as any user within the container, they will be able to read all application files, including configuration files. This could potentially expose sensitive information if any is present.

Powered by Visor from Probelabs

💡 TIP: You can chat with Visor using /visor ask <your question>

Annotations

Check warning on line 15 in ci/Dockerfile.distroless

See this annotation in the file changed.

@probelabs probelabs / Visor: security

security Issue 

The command `chmod -R a+rX /opt/tyk-gateway/` makes all files in the application directory world-readable. While this enables running the container with an arbitrary user ID, it weakens in-container security. If a vulnerability allows an attacker to execute code as any user within the container, they will be able to read all application files, including configuration files. This could potentially expose sensitive information if any is present.
Raw output 
Consider using a more restrictive permission model if possible. For example, if the container is meant to run with a user from a specific group (like the `root` group, GID 0, which is common in some container platforms), you could change file ownership to `root:<gid>` and set group-readable permissions (`chmod -R g+rX`). This would be more secure than world-readable permissions. If supporting truly arbitrary user IDs is a hard requirement, the current approach may be an acceptable trade-off.
View more details on probelabs