Run Docker container as user 1000 (#1975)

Previously, mega-linter-runner ran the MegaLinter Docker image as root. In the Docker image, chown the /megalinter, /megalinter-descriptors, and /action/lib/.automation directories to be owned by user and group 1000. Users whose files became owned by root as a consequence of having run a previous version of MegaLinter will need to chown them to be owned by user 1000 when upgrading MegaLinter.
oxsecurity · Apr 4, 2023 · c231830 · c231830
1 parent e48717a
commit c231830
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -18,6 +18,8 @@ Note: Can be used with `oxsecurity/megalinter@beta` in your GitHub Action mega-l
     [#2455](https://github.com/oxsecurity/megalinter/pull/2455).
 
 - Core
+  - Make Docker image rootless, and run it as user 1000 rather than root by
+    @Kurt-von-Laven in [#1975](https://github.com/oxsecurity/megalinter/issues/1975).
 
 - Documentation
 

diff --git a/Dockerfile b/Dockerfile
@@ -666,7 +666,7 @@ ENV KICS_QUERIES_PATH=/opt/kics/assets/queries KICS_LIBRARIES_PATH=/opt/kics/ass
 ################################
 # Installs python dependencies #
 ################################
-COPY megalinter /megalinter
+COPY --chown=1000:1000 megalinter /megalinter
 RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
     && PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
     && rm -rf /var/cache/apk/* \
@@ -675,8 +675,13 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
 #######################################
 # Copy scripts and rules to container #
 #######################################
-COPY megalinter/descriptors /megalinter-descriptors
-COPY TEMPLATES /action/lib/.automation
+COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
+COPY --chown=1000:1000 TEMPLATES /action/lib/.automation
+
+###############################################################
+# Make a directory to bind mount to that isn't owned by root. #
+###############################################################
+RUN mkdir /tmp/lint && chown 1000:1000 /tmp/lint
 
 ###########################
 # Get the build arguments #

diff --git a/mega-linter-runner/lib/runner.js b/mega-linter-runner/lib/runner.js
@@ -132,6 +132,7 @@ ERROR: Docker engine has not been found on your system.
     if (options["containerName"]) {
       commandArgs.push(...["--name", options["containerName"]]);
     }
+    commandArgs.push(...["--user", `1000:1000`]);
     commandArgs.push(...["-v", "/var/run/docker.sock:/var/run/docker.sock:rw"]);
     commandArgs.push(...["-v", `${lintPath}:/tmp/lint:rw`]);
     if (options.fix === true) {