Skip to content

chore(security): run image as non-root and disable CI checkout credential persistence#878

Closed
darkweaver87 wants to merge 1 commit into
traefik:masterfrom
darkweaver87:chore/aikido-harden
Closed

chore(security): run image as non-root and disable CI checkout credential persistence#878
darkweaver87 wants to merge 1 commit into
traefik:masterfrom
darkweaver87:chore/aikido-harden

Conversation

@darkweaver87

@darkweaver87 darkweaver87 commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

Motivation

The runtime images already define a non-root app user (uid 1000) but never switch to it, so the entrypoint runs as root. Separately, the actions/checkout steps persist the GitHub token in .git/config for the whole job (CWE-522/200). This adds USER app to both Dockerfiles and persist-credentials: false to the two workflow checkouts (neither runs authenticated git afterwards).

@darkweaver87 darkweaver87 force-pushed the chore/aikido-harden branch from 47dbe32 to 878c90a Compare July 8, 2026 13:46
@darkweaver87 darkweaver87 changed the base branch from master to v1.4 July 8, 2026 13:46
@darkweaver87 darkweaver87 changed the base branch from v1.4 to master July 8, 2026 14:10
@darkweaver87 darkweaver87 force-pushed the chore/aikido-harden branch from 878c90a to 1820cd4 Compare July 8, 2026 14:14
@darkweaver87 darkweaver87 deleted the chore/aikido-harden branch July 8, 2026 14:58
@darkweaver87

Copy link
Copy Markdown
Collaborator Author

Superseded by #879 (same change; branch/description cleaned up).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants