Skip to content

Commit

Permalink
Run Docker container as user 1000 (#1975)
Browse files Browse the repository at this point in the history
Previously, mega-linter-runner ran the MegaLinter Docker image as root.
In the Docker image, chown the /megalinter, /megalinter-descriptors, and
/action/lib/.automation directories to be owned by user and group 1000.
Users whose files became owned by root as a consequence of having run a
previous version of MegaLinter will need to chown them to be owned by
user 1000 when upgrading MegaLinter.
  • Loading branch information
Kurt-von-Laven committed Apr 7, 2023
1 parent 00df56b commit d334669
Show file tree
Hide file tree
Showing 133 changed files with 1,042 additions and 392 deletions.
3 changes: 2 additions & 1 deletion .automation/build.py
Original file line number Diff line number Diff line change
Expand Up @@ -251,8 +251,9 @@ def generate_flavor(flavor, flavor_info):
file.write(action_yml)
logging.info(f"Updated {flavor_action_yml}")
extra_lines = [
"COPY entrypoint.sh /entrypoint.sh",
"COPY --chown=1000:1000 entrypoint.sh /entrypoint.sh",
"RUN chmod +x entrypoint.sh",
"USER 1000",
'ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]',
]
build_dockerfile(
Expand Down
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ Note: Can be used with `oxsecurity/megalinter@beta` in your GitHub Action mega-l
- Upgrade create-pull-request and create-or-update-comment GitHub Actions
- Increase auto-update-linters GitHub Action timeout
- Upgrade base Docker image to python:3.11.3-alpine3.17
- Make Docker image rootless, and run it as user 1000 rather than root by
@Kurt-von-Laven in [#1975](https://github.com/oxsecurity/megalinter/issues/1975).

- Documentation

Expand Down
9 changes: 5 additions & 4 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -666,7 +666,7 @@ ENV KICS_QUERIES_PATH=/opt/kics/assets/queries KICS_LIBRARIES_PATH=/opt/kics/ass
################################
# Installs python dependencies #
################################
COPY megalinter /megalinter
COPY --chown=1000:1000 megalinter /megalinter
RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
&& PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
&& rm -rf /var/cache/apk/* \
Expand All @@ -675,8 +675,8 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
#######################################
# Copy scripts and rules to container #
#######################################
COPY megalinter/descriptors /megalinter-descriptors
COPY TEMPLATES /action/lib/.automation
COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
COPY --chown=1000:1000 TEMPLATES /action/lib/.automation

###########################
# Get the build arguments #
Expand Down Expand Up @@ -715,7 +715,8 @@ LABEL com.github.actions.name="MegaLinter" \
org.opencontainers.image.description="Lint your code base with GitHub Actions"

#EXTRA_DOCKERFILE_LINES__START
COPY entrypoint.sh /entrypoint.sh
COPY --chown=1000:1000 entrypoint.sh /entrypoint.sh
RUN chmod +x entrypoint.sh
USER 1000
ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
#EXTRA_DOCKERFILE_LINES__END
11 changes: 8 additions & 3 deletions flavors/ci_light/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -207,7 +207,7 @@ RUN wget -q -O - https://raw.githubusercontent.com/dotenv-linter/dotenv-linter/m
################################
# Installs python dependencies #
################################
COPY megalinter /megalinter
COPY --chown=1000:1000 megalinter /megalinter
RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
&& PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
&& rm -rf /var/cache/apk/* \
Expand All @@ -216,8 +216,13 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
#######################################
# Copy scripts and rules to container #
#######################################
COPY megalinter/descriptors /megalinter-descriptors
COPY TEMPLATES /action/lib/.automation
COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
COPY --chown=1000:1000 TEMPLATES /action/lib/.automation

#####################################################
# Make the container rootless for sake of security. #
#####################################################
USER 1000

###########################
# Get the build arguments #
Expand Down
11 changes: 8 additions & 3 deletions flavors/cupcake/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -448,7 +448,7 @@ ENV KICS_QUERIES_PATH=/opt/kics/assets/queries KICS_LIBRARIES_PATH=/opt/kics/ass
################################
# Installs python dependencies #
################################
COPY megalinter /megalinter
COPY --chown=1000:1000 megalinter /megalinter
RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
&& PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
&& rm -rf /var/cache/apk/* \
Expand All @@ -457,8 +457,13 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
#######################################
# Copy scripts and rules to container #
#######################################
COPY megalinter/descriptors /megalinter-descriptors
COPY TEMPLATES /action/lib/.automation
COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
COPY --chown=1000:1000 TEMPLATES /action/lib/.automation

#####################################################
# Make the container rootless for sake of security. #
#####################################################
USER 1000

###########################
# Get the build arguments #
Expand Down
11 changes: 8 additions & 3 deletions flavors/documentation/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -294,7 +294,7 @@ RUN printf '#!/bin/bash \n\nif [[ -x "$1" ]]; then exit 0; else echo "Error: Fil
################################
# Installs python dependencies #
################################
COPY megalinter /megalinter
COPY --chown=1000:1000 megalinter /megalinter
RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
&& PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
&& rm -rf /var/cache/apk/* \
Expand All @@ -303,8 +303,13 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
#######################################
# Copy scripts and rules to container #
#######################################
COPY megalinter/descriptors /megalinter-descriptors
COPY TEMPLATES /action/lib/.automation
COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
COPY --chown=1000:1000 TEMPLATES /action/lib/.automation

#####################################################
# Make the container rootless for sake of security. #
#####################################################
USER 1000

###########################
# Get the build arguments #
Expand Down
11 changes: 8 additions & 3 deletions flavors/dotnet/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -389,7 +389,7 @@ RUN curl --retry 5 --retry-delay 5 -sLO "${ARM_TTK_URI}" \
################################
# Installs python dependencies #
################################
COPY megalinter /megalinter
COPY --chown=1000:1000 megalinter /megalinter
RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
&& PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
&& rm -rf /var/cache/apk/* \
Expand All @@ -398,8 +398,13 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
#######################################
# Copy scripts and rules to container #
#######################################
COPY megalinter/descriptors /megalinter-descriptors
COPY TEMPLATES /action/lib/.automation
COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
COPY --chown=1000:1000 TEMPLATES /action/lib/.automation

#####################################################
# Make the container rootless for sake of security. #
#####################################################
USER 1000

###########################
# Get the build arguments #
Expand Down
11 changes: 8 additions & 3 deletions flavors/go/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -309,7 +309,7 @@ RUN printf '#!/bin/bash \n\nif [[ -x "$1" ]]; then exit 0; else echo "Error: Fil
################################
# Installs python dependencies #
################################
COPY megalinter /megalinter
COPY --chown=1000:1000 megalinter /megalinter
RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
&& PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
&& rm -rf /var/cache/apk/* \
Expand All @@ -318,8 +318,13 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
#######################################
# Copy scripts and rules to container #
#######################################
COPY megalinter/descriptors /megalinter-descriptors
COPY TEMPLATES /action/lib/.automation
COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
COPY --chown=1000:1000 TEMPLATES /action/lib/.automation

#####################################################
# Make the container rootless for sake of security. #
#####################################################
USER 1000

###########################
# Get the build arguments #
Expand Down
11 changes: 8 additions & 3 deletions flavors/java/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -322,7 +322,7 @@ RUN wget --quiet https://github.com/pmd/pmd/releases/download/pmd_releases%2F${P
################################
# Installs python dependencies #
################################
COPY megalinter /megalinter
COPY --chown=1000:1000 megalinter /megalinter
RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
&& PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
&& rm -rf /var/cache/apk/* \
Expand All @@ -331,8 +331,13 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
#######################################
# Copy scripts and rules to container #
#######################################
COPY megalinter/descriptors /megalinter-descriptors
COPY TEMPLATES /action/lib/.automation
COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
COPY --chown=1000:1000 TEMPLATES /action/lib/.automation

#####################################################
# Make the container rootless for sake of security. #
#####################################################
USER 1000

###########################
# Get the build arguments #
Expand Down
11 changes: 8 additions & 3 deletions flavors/javascript/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -310,7 +310,7 @@ RUN printf '#!/bin/bash \n\nif [[ -x "$1" ]]; then exit 0; else echo "Error: Fil
################################
# Installs python dependencies #
################################
COPY megalinter /megalinter
COPY --chown=1000:1000 megalinter /megalinter
RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
&& PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
&& rm -rf /var/cache/apk/* \
Expand All @@ -319,8 +319,13 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
#######################################
# Copy scripts and rules to container #
#######################################
COPY megalinter/descriptors /megalinter-descriptors
COPY TEMPLATES /action/lib/.automation
COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
COPY --chown=1000:1000 TEMPLATES /action/lib/.automation

#####################################################
# Make the container rootless for sake of security. #
#####################################################
USER 1000

###########################
# Get the build arguments #
Expand Down
11 changes: 8 additions & 3 deletions flavors/php/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -338,7 +338,7 @@ RUN composer global require --ignore-platform-reqs overtrue/phplint ^5.3 \
################################
# Installs python dependencies #
################################
COPY megalinter /megalinter
COPY --chown=1000:1000 megalinter /megalinter
RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
&& PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
&& rm -rf /var/cache/apk/* \
Expand All @@ -347,8 +347,13 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
#######################################
# Copy scripts and rules to container #
#######################################
COPY megalinter/descriptors /megalinter-descriptors
COPY TEMPLATES /action/lib/.automation
COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
COPY --chown=1000:1000 TEMPLATES /action/lib/.automation

#####################################################
# Make the container rootless for sake of security. #
#####################################################
USER 1000

###########################
# Get the build arguments #
Expand Down
11 changes: 8 additions & 3 deletions flavors/python/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -305,7 +305,7 @@ RUN printf '#!/bin/bash \n\nif [[ -x "$1" ]]; then exit 0; else echo "Error: Fil
################################
# Installs python dependencies #
################################
COPY megalinter /megalinter
COPY --chown=1000:1000 megalinter /megalinter
RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
&& PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
&& rm -rf /var/cache/apk/* \
Expand All @@ -314,8 +314,13 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
#######################################
# Copy scripts and rules to container #
#######################################
COPY megalinter/descriptors /megalinter-descriptors
COPY TEMPLATES /action/lib/.automation
COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
COPY --chown=1000:1000 TEMPLATES /action/lib/.automation

#####################################################
# Make the container rootless for sake of security. #
#####################################################
USER 1000

###########################
# Get the build arguments #
Expand Down
11 changes: 8 additions & 3 deletions flavors/ruby/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -295,7 +295,7 @@ RUN printf '#!/bin/bash \n\nif [[ -x "$1" ]]; then exit 0; else echo "Error: Fil
################################
# Installs python dependencies #
################################
COPY megalinter /megalinter
COPY --chown=1000:1000 megalinter /megalinter
RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
&& PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
&& rm -rf /var/cache/apk/* \
Expand All @@ -304,8 +304,13 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
#######################################
# Copy scripts and rules to container #
#######################################
COPY megalinter/descriptors /megalinter-descriptors
COPY TEMPLATES /action/lib/.automation
COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
COPY --chown=1000:1000 TEMPLATES /action/lib/.automation

#####################################################
# Make the container rootless for sake of security. #
#####################################################
USER 1000

###########################
# Get the build arguments #
Expand Down
11 changes: 8 additions & 3 deletions flavors/rust/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -289,7 +289,7 @@ RUN printf '#!/bin/bash \n\nif [[ -x "$1" ]]; then exit 0; else echo "Error: Fil
################################
# Installs python dependencies #
################################
COPY megalinter /megalinter
COPY --chown=1000:1000 megalinter /megalinter
RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
&& PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
&& rm -rf /var/cache/apk/* \
Expand All @@ -298,8 +298,13 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
#######################################
# Copy scripts and rules to container #
#######################################
COPY megalinter/descriptors /megalinter-descriptors
COPY TEMPLATES /action/lib/.automation
COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
COPY --chown=1000:1000 TEMPLATES /action/lib/.automation

#####################################################
# Make the container rootless for sake of security. #
#####################################################
USER 1000

###########################
# Get the build arguments #
Expand Down
11 changes: 8 additions & 3 deletions flavors/salesforce/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -316,7 +316,7 @@ RUN echo y|sfdx plugins:install sfdx-hardis \
################################
# Installs python dependencies #
################################
COPY megalinter /megalinter
COPY --chown=1000:1000 megalinter /megalinter
RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
&& PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
&& rm -rf /var/cache/apk/* \
Expand All @@ -325,8 +325,13 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
#######################################
# Copy scripts and rules to container #
#######################################
COPY megalinter/descriptors /megalinter-descriptors
COPY TEMPLATES /action/lib/.automation
COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
COPY --chown=1000:1000 TEMPLATES /action/lib/.automation

#####################################################
# Make the container rootless for sake of security. #
#####################################################
USER 1000

###########################
# Get the build arguments #
Expand Down
11 changes: 8 additions & 3 deletions flavors/security/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -251,7 +251,7 @@ ENV KICS_QUERIES_PATH=/opt/kics/assets/queries KICS_LIBRARIES_PATH=/opt/kics/ass
################################
# Installs python dependencies #
################################
COPY megalinter /megalinter
COPY --chown=1000:1000 megalinter /megalinter
RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
&& PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
&& rm -rf /var/cache/apk/* \
Expand All @@ -260,8 +260,13 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
#######################################
# Copy scripts and rules to container #
#######################################
COPY megalinter/descriptors /megalinter-descriptors
COPY TEMPLATES /action/lib/.automation
COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
COPY --chown=1000:1000 TEMPLATES /action/lib/.automation

#####################################################
# Make the container rootless for sake of security. #
#####################################################
USER 1000

###########################
# Get the build arguments #
Expand Down
11 changes: 8 additions & 3 deletions flavors/swift/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -292,7 +292,7 @@ RUN rc-update add docker boot && rc-service docker start || true \
################################
# Installs python dependencies #
################################
COPY megalinter /megalinter
COPY --chown=1000:1000 megalinter /megalinter
RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
&& PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
&& rm -rf /var/cache/apk/* \
Expand All @@ -301,8 +301,13 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
#######################################
# Copy scripts and rules to container #
#######################################
COPY megalinter/descriptors /megalinter-descriptors
COPY TEMPLATES /action/lib/.automation
COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
COPY --chown=1000:1000 TEMPLATES /action/lib/.automation

#####################################################
# Make the container rootless for sake of security. #
#####################################################
USER 1000

###########################
# Get the build arguments #
Expand Down
Loading

0 comments on commit d334669

Please sign in to comment.