[DRAFT][DO NOT REVIEW] Add USER "app" to Dockerfile #3520
Draft
aaronburtle wants to merge 2 commits intomainfrom
Draft
[DRAFT][DO NOT REVIEW] Add USER "app" to Dockerfile #3520aaronburtle wants to merge 2 commits intomainfrom
aaronburtle wants to merge 2 commits intomainfrom
Conversation
aaronburtle
requested review from
Alekhya-Polavarapu,
Aniruddh25,
JerryNixon,
RubenCerna2079,
anushakolan,
rusamant,
sourabh1007,
souvikghosh04,
stuartpa and
vadeveka
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the container runtime stage to explicitly run Data API Builder as a non-root user (app) to satisfy container security scanners, aligning the Dockerfile with the base image’s intended default user.
Changes:
- Add explanatory comments documenting the rationale for running as non-root in the final image stage.
- Set
USER appin the runtime stage so scanners see a non-rootConfig.User.
Comment on lines
+20
to
+24
| # process and does not require root privileges. Declaring USER explicitly | ||
| # sets the image's Config.User field so image scanners (e.g. Checkmarx One) | ||
| # that require a non-root user in the final stage are satisfied. | ||
| # Port 5000 is above 1024 so a non-root user can bind to it without CAP_NET_BIND_SERVICE. | ||
| USER app |
Aniruddh25
requested changes
May 6, 2026
Collaborator
Aniruddh25
left a comment
Aniruddh25
left a comment
There was a problem hiding this comment.
Copilot suggestion is valid.
github-project-automation
Bot
moved this from Todo
to Review In Progress
in Data API builder
github-project-automation
Bot
moved this from Review In Progress
to Done
in Data API builder
aaronburtle
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why make this change?
Closes #3514
What is this change?
Adds a user
appto our Dockerfile to avoid alterting scanners. For more information see: #3481Switching from root to non-root could potentially be a breaking change so before this can be completed need to finalize the design decision raised in the associated issue. For more details, see: #3514
How was this tested?
Manually tested.