From 391c250a503615697ba429dbe1ee0de31d266790 Mon Sep 17 00:00:00 2001
From: aaronburtle <aaronburtle@microsoft.com>
Date: Tue, 5 May 2026 16:56:08 -0700
Subject: [PATCH] add USER to dockerfile for scanners

---
 Dockerfile | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 59190b6374..7d8d600885 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -14,4 +14,13 @@ COPY --from=build /out /App
 COPY dab-config.json /App/dab-config.json
 WORKDIR /App
 ENV ASPNETCORE_URLS=http://+:5000
+
+# Run as the non-root "app" user (UID/GID 64198) that ships with the
+# mcr.microsoft.com/dotnet/aspnet base image. DAB is just an ASP.NET Core
+# process and does not require root privileges. Declaring USER explicitly
+# sets the image's Config.User field so image scanners (e.g. Checkmarx One)
+# that require a non-root user in the final stage are satisfied.
+# Port 5000 is above 1024 so a non-root user can bind to it without CAP_NET_BIND_SERVICE.
+USER app
+
 ENTRYPOINT ["dotnet", "Azure.DataApiBuilder.Service.dll"]