Skip to content

chore(security): run image as non-root and disable CI checkout credential persistence#879

Open
darkweaver87 wants to merge 1 commit into
traefik:masterfrom
darkweaver87:chore/security-hardening
Open

chore(security): run image as non-root and disable CI checkout credential persistence#879
darkweaver87 wants to merge 1 commit into
traefik:masterfrom
darkweaver87:chore/security-hardening

Conversation

@darkweaver87

Copy link
Copy Markdown
Collaborator

Motivation

The runtime images already define a non-root app user (uid 1000) but never switch to it, so the entrypoint runs as root. Separately, the actions/checkout steps persist the GitHub token in .git/config for the whole job (CWE-522/200). This adds USER app to both Dockerfiles and persist-credentials: false to the two workflow checkouts (neither runs authenticated git afterwards).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant