Run SDK image as nonroot (UID 65532) for Docker Scout compliance

- apko/sdk.yaml: run-as 65532, create /home/nonroot and /app owned by nonroot - sdk.Dockerfile: USER 65532, set HOME and DOTNET_CLI_HOME to /home/nonroot - README/DOCKERHUB: update examples to use COPY --chown=nonroot and /app/publish dotnet restore writes NuGet cache to $DOTNET_CLI_HOME/.nuget/packages which is now /home/nonroot/.nuget/packages — no root needed. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-03 15:39:51 -05:00
parent fa20f6f0ea
commit 74bb1f6070
4 changed files with 40 additions and 26 deletions
@@ -25,7 +25,19 @@ accounts:
    - username: nonroot
      uid: 65532
      gid: 65532
-  run-as: 0
+  run-as: 65532
+
+paths:
+  - path: /home/nonroot
+    type: directory
+    uid: 65532
+    gid: 65532
+    permissions: 0o755
+  - path: /app
+    type: directory
+    uid: 65532
+    gid: 65532
+    permissions: 0o755

 archs:
  - x86_64