Skip to content

fix(docker): run container as non-root user#310

Merged
cloudsmith-iduffy merged 1 commit into
masterfrom
fix/security-dockerfile
Jun 10, 2026
Merged

fix(docker): run container as non-root user#310
cloudsmith-iduffy merged 1 commit into
masterfrom
fix/security-dockerfile

Conversation

@BartoszBlizniak

Copy link
Copy Markdown
Member

Description

Resolves the "Missing User Instruction" code scanning alert. The image now creates a dedicated cloudsmith user (uid 1000) and drops root before the entrypoint runs.

Type of Change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation update
  • Refactoring
  • Other (please describe)

Additional Notes

Verified locally: image builds and cloudsmith --version runs as uid 1000.

Two remaining Dockerfile alerts are deliberately not addressed — recommend dismissal with justification: HEALTHCHECK is meaningless for a CLI entrypoint container (no long-running process), and apk version pins break rebuilds once versions rotate out of the Alpine index.

@BartoszBlizniak BartoszBlizniak requested a review from a team as a code owner June 10, 2026 12:00
Copilot AI review requested due to automatic review settings June 10, 2026 12:00

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

  • Updates the container image definition to address a security/code-scanning finding by ensuring the Cloudsmith CLI runs as a non-root user at runtime.

Changes:

  • Adds a dedicated cloudsmith user (uid 1000) during the image build.
  • Switches the runtime user to cloudsmith before executing the ENTRYPOINT.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@cloudsmith-iduffy cloudsmith-iduffy merged commit fd7fa2f into master Jun 10, 2026
41 checks passed
@cloudsmith-iduffy cloudsmith-iduffy deleted the fix/security-dockerfile branch June 10, 2026 13:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

3 participants