Run process as non-root

Dockerfile

@@ -1,16 +1,42 @@
 FROM golang:1.22-alpine
 
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+	\
+	apk add --no-cache --virtual .gosu-deps \
+		ca-certificates==20240705-r0 \
+		dpkg==1.22.6-r1 \
+		gnupg==2.4.5-r0 && \
+	dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" && \
+	wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+	wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+	export GNUPGHOME="$(mktemp -d)"; \
+	gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+	gpgconf --kill all; \
+	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+	apk del --no-network .gosu-deps; \
+	chmod +x /usr/local/bin/gosu; \
+	gosu --version; \
+	gosu nobody true
+
 WORKDIR /app
 
 SHELL ["/bin/ash", "-o", "pipefail", "-c"]
 
+RUN adduser -S -G nobody scyllaridae
+
 RUN apk update && \
     apk add --no-cache \
       curl==8.9.0-r0 \
       bash==5.2.26-r0 \
       ca-certificates==20240705-r0 \
       openssl==3.3.1-r3
+
 COPY . ./
+
+RUN chown -R scyllaridae:nobody /app
+
 RUN go mod download && \
   go build -o /app/scyllaridae && \
   go clean -cache -modcache && \

docker-entrypoint.sh

@@ -8,4 +8,4 @@ if [ -f /app/ca.pem ]; then
     update-ca-certificates
 fi
 
-exec /app/scyllaridae
+exec gosu scyllaridae /app/scyllaridae