Skip to content

Commit 1d4459a

Browse files
Claude Code Serviceclaude
andcommitted
Fix Trivy DS-0002 and DS-0029 in Dockerfiles
DS-0002 (HIGH): run containers as a non-root user. Create an unprivileged 'appuser' and add a USER instruction to the action image (Dockerfile) and to the dev/test stages (Dockerfile.dev). HOME is set so gh and tooling have a writable home, and the entrypoint/report directories are chowned so the non-root user retains read/execute access. DS-0029 (HIGH): add --no-install-recommends to the apt-get install command in both Dockerfiles. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
1 parent c7a53e5 commit 1d4459a

2 files changed

Lines changed: 13 additions & 3 deletions

File tree

Dockerfile

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ FROM python:latest@sha256:6d58c1a9444bc2664f0fa20c43a592fcdb2698eb9a9c3225751653
44
RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg && \
55
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | tee /etc/apt/sources.list.d/github-cli.list > /dev/null && \
66
apt-get update --allow-releaseinfo-change && \
7-
DEBIAN_FRONTEND="noninteractive" apt-get -yq install \
7+
DEBIAN_FRONTEND="noninteractive" apt-get -yq install --no-install-recommends \
88
bash \
99
curl \
1010
jq \
@@ -18,4 +18,8 @@ COPY trivy_report /trivy_report
1818

1919
RUN chmod +x /entrypoint.sh
2020

21+
RUN useradd --create-home --uid 1001 --shell /bin/bash appuser
22+
ENV HOME=/home/appuser
23+
USER appuser
24+
2125
ENTRYPOINT ["/entrypoint.sh"]

Dockerfile.dev

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ FROM python:latest AS base
44
RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg && \
55
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | tee /etc/apt/sources.list.d/github-cli.list > /dev/null && \
66
apt-get update --allow-releaseinfo-change && \
7-
DEBIAN_FRONTEND="noninteractive" apt-get -yq install \
7+
DEBIAN_FRONTEND="noninteractive" apt-get -yq install --no-install-recommends \
88
bash \
99
curl \
1010
jq \
@@ -13,6 +13,9 @@ RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | d
1313

1414
ENV PYTHONPATH="/"
1515

16+
RUN useradd --create-home --uid 1001 --shell /bin/bash appuser
17+
ENV HOME=/home/appuser
18+
1619
FROM base AS dev
1720

1821
COPY ./requirements.txt /
@@ -25,7 +28,10 @@ COPY ./bin/print_issues /docker/print_issues
2528
COPY ./trivy_report /trivy_report
2629
COPY ./tests/ /tests/
2730

28-
RUN chmod +x /docker/*
31+
RUN chmod +x /docker/* && \
32+
chown -R appuser /docker /tests /trivy_report
33+
34+
USER appuser
2935

3036
ENTRYPOINT ["/docker/print_issues"]
3137

0 commit comments

Comments
 (0)