Add USER 65532 to generated Dockerfile for non-root compliance
Some checks failed
Weekly Rebuild (CVE Updates) / rebuild (apko/dotnet-runtime.yaml, dotnet-runtime) (push) Waiting to run
Weekly Rebuild (CVE Updates) / rebuild (apko/dotnet-sdk.yaml, dotnet-sdk) (push) Waiting to run
Weekly Rebuild (CVE Updates) / rebuild (apko/flutter-sdk.yaml, flutter-sdk) (push) Waiting to run
Check for Upstream Stable Updates / Check Wolfi package updates (push) Waiting to run
Check for Upstream Stable Updates / Check .NET stable releases (push) Waiting to run
Check for Upstream Stable Updates / Check Flutter stable releases (push) Waiting to run
Check for Upstream Stable Updates / Rebuild and push all variants (apko/base.yaml, base) (push) Blocked by required conditions
Check for Upstream Stable Updates / Rebuild and push all variants (apko/build.yaml, build) (push) Blocked by required conditions
Check for Upstream Stable Updates / Rebuild and push all variants (apko/dotnet-runtime.yaml, dotnet-runtime) (push) Blocked by required conditions
Check for Upstream Stable Updates / Rebuild and push all variants (apko/dotnet-sdk.yaml, dotnet-sdk) (push) Blocked by required conditions
Check for Upstream Stable Updates / Rebuild and push all variants (apko/flutter-sdk.yaml, flutter-sdk) (push) Blocked by required conditions
Check for Upstream Stable Updates / Create release for new Flutter version (push) Blocked by required conditions
Build and Push Base Distro Images / build-and-push (apko/base.yaml, base) (push) Successful in 49s
Build and Push Base Distro Images / build-and-push (apko/build.yaml, build) (push) Successful in 58s
Build and Push Base Distro Images / build-and-push (apko/dotnet-runtime.yaml, dotnet-runtime) (push) Successful in 51s
Build and Push Base Distro Images / build-and-push (apko/dotnet-sdk.yaml, dotnet-sdk) (push) Successful in 1m8s
Build and Push Base Distro Images / build-and-push (apko/flutter-sdk.yaml, flutter-sdk) (push) Successful in 39s
Weekly Rebuild (CVE Updates) / rebuild (apko/build.yaml, build) (push) Has been cancelled
Weekly Rebuild (CVE Updates) / rebuild (apko/base.yaml, base) (push) Has been cancelled
Some checks failed
Weekly Rebuild (CVE Updates) / rebuild (apko/dotnet-runtime.yaml, dotnet-runtime) (push) Waiting to run
Weekly Rebuild (CVE Updates) / rebuild (apko/dotnet-sdk.yaml, dotnet-sdk) (push) Waiting to run
Weekly Rebuild (CVE Updates) / rebuild (apko/flutter-sdk.yaml, flutter-sdk) (push) Waiting to run
Check for Upstream Stable Updates / Check Wolfi package updates (push) Waiting to run
Check for Upstream Stable Updates / Check .NET stable releases (push) Waiting to run
Check for Upstream Stable Updates / Check Flutter stable releases (push) Waiting to run
Check for Upstream Stable Updates / Rebuild and push all variants (apko/base.yaml, base) (push) Blocked by required conditions
Check for Upstream Stable Updates / Rebuild and push all variants (apko/build.yaml, build) (push) Blocked by required conditions
Check for Upstream Stable Updates / Rebuild and push all variants (apko/dotnet-runtime.yaml, dotnet-runtime) (push) Blocked by required conditions
Check for Upstream Stable Updates / Rebuild and push all variants (apko/dotnet-sdk.yaml, dotnet-sdk) (push) Blocked by required conditions
Check for Upstream Stable Updates / Rebuild and push all variants (apko/flutter-sdk.yaml, flutter-sdk) (push) Blocked by required conditions
Check for Upstream Stable Updates / Create release for new Flutter version (push) Blocked by required conditions
Build and Push Base Distro Images / build-and-push (apko/base.yaml, base) (push) Successful in 49s
Build and Push Base Distro Images / build-and-push (apko/build.yaml, build) (push) Successful in 58s
Build and Push Base Distro Images / build-and-push (apko/dotnet-runtime.yaml, dotnet-runtime) (push) Successful in 51s
Build and Push Base Distro Images / build-and-push (apko/dotnet-sdk.yaml, dotnet-sdk) (push) Successful in 1m8s
Build and Push Base Distro Images / build-and-push (apko/flutter-sdk.yaml, flutter-sdk) (push) Successful in 39s
Weekly Rebuild (CVE Updates) / rebuild (apko/build.yaml, build) (push) Has been cancelled
Weekly Rebuild (CVE Updates) / rebuild (apko/base.yaml, base) (push) Has been cancelled
The FROM scratch + ADD pattern loses apko's OCI config metadata including the run-as user. Adding USER 65532 to the Dockerfile restores the non-root default that Docker Scout checks for. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Mathias Beaulieu-Duncan
parent
7c2d558a35
commit
f72130c6bf
@ -117,6 +117,7 @@ jobs:
|
|||||||
/tmp/image.tar
|
/tmp/image.tar
|
||||||
echo 'FROM scratch' > /tmp/Dockerfile
|
echo 'FROM scratch' > /tmp/Dockerfile
|
||||||
echo 'ADD image.tar /' >> /tmp/Dockerfile
|
echo 'ADD image.tar /' >> /tmp/Dockerfile
|
||||||
|
echo 'USER 65532' >> /tmp/Dockerfile
|
||||||
|
|
||||||
- name: Build and push with buildx (SBOM + provenance)
|
- name: Build and push with buildx (SBOM + provenance)
|
||||||
uses: docker/build-push-action@v5
|
uses: docker/build-push-action@v5
|
||||||
|
|||||||
@ -109,6 +109,7 @@ jobs:
|
|||||||
/tmp/image.tar
|
/tmp/image.tar
|
||||||
echo 'FROM scratch' > /tmp/Dockerfile
|
echo 'FROM scratch' > /tmp/Dockerfile
|
||||||
echo 'ADD image.tar /' >> /tmp/Dockerfile
|
echo 'ADD image.tar /' >> /tmp/Dockerfile
|
||||||
|
echo 'USER 65532' >> /tmp/Dockerfile
|
||||||
|
|
||||||
- name: Build and push with buildx (SBOM + provenance)
|
- name: Build and push with buildx (SBOM + provenance)
|
||||||
uses: docker/build-push-action@v5
|
uses: docker/build-push-action@v5
|
||||||
|
|||||||
@ -199,6 +199,7 @@ jobs:
|
|||||||
/tmp/image.tar
|
/tmp/image.tar
|
||||||
echo 'FROM scratch' > /tmp/Dockerfile
|
echo 'FROM scratch' > /tmp/Dockerfile
|
||||||
echo 'ADD image.tar /' >> /tmp/Dockerfile
|
echo 'ADD image.tar /' >> /tmp/Dockerfile
|
||||||
|
echo 'USER 65532' >> /tmp/Dockerfile
|
||||||
|
|
||||||
- name: Build and push with buildx (SBOM + provenance)
|
- name: Build and push with buildx (SBOM + provenance)
|
||||||
uses: docker/build-push-action@v5
|
uses: docker/build-push-action@v5
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user