Skip to content

Commit

Permalink
Run Docker container as user 1000 (#1975)
Browse files Browse the repository at this point in the history
Previously, mega-linter-runner ran the MegaLinter Docker image as root.
In the Docker image, chown the /megalinter, /megalinter-descriptors, and
/action/lib/.automation directories to be owned by user and group 1000.
Users whose files became owned by root as a consequence of having run a
previous version of MegaLinter will need to chown them to be owned by
user 1000 when upgrading MegaLinter.
  • Loading branch information
Kurt-von-Laven committed Apr 9, 2023
1 parent 4363d26 commit 05d9d00
Show file tree
Hide file tree
Showing 133 changed files with 428 additions and 407 deletions.
3 changes: 2 additions & 1 deletion .automation/build.py
Original file line number Diff line number Diff line change
Expand Up @@ -251,8 +251,9 @@ def generate_flavor(flavor, flavor_info):
file.write(action_yml)
logging.info(f"Updated {flavor_action_yml}")
extra_lines = [
"COPY entrypoint.sh /entrypoint.sh",
"COPY --chown=1000:1000 entrypoint.sh /entrypoint.sh",
"RUN chmod +x entrypoint.sh",
"USER 1000",
'ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]',
]
build_dockerfile(
Expand Down
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ Note: Can be used with `oxsecurity/megalinter@beta` in your GitHub Action mega-l
- Upgrade create-pull-request and create-or-update-comment GitHub Actions
- Increase auto-update-linters GitHub Action timeout
- Upgrade base Docker image to python:3.11.3-alpine3.17
- Make Docker image rootless, and run it as user 1000 rather than root by
@Kurt-von-Laven in [#1975](https://github.com/oxsecurity/megalinter/issues/1975).

- Documentation

Expand Down
9 changes: 5 additions & 4 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -668,7 +668,7 @@ ENV KICS_QUERIES_PATH=/opt/kics/assets/queries KICS_LIBRARIES_PATH=/opt/kics/ass
################################
# Installs python dependencies #
################################
COPY megalinter /megalinter
COPY --chown=1000:1000 megalinter /megalinter
RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
&& PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
&& rm -rf /var/cache/apk/* \
Expand All @@ -677,8 +677,8 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
#######################################
# Copy scripts and rules to container #
#######################################
COPY megalinter/descriptors /megalinter-descriptors
COPY TEMPLATES /action/lib/.automation
COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
COPY --chown=1000:1000 TEMPLATES /action/lib/.automation

###########################
# Get the build arguments #
Expand Down Expand Up @@ -717,7 +717,8 @@ LABEL com.github.actions.name="MegaLinter" \
org.opencontainers.image.description="Lint your code base with GitHub Actions"

#EXTRA_DOCKERFILE_LINES__START
COPY entrypoint.sh /entrypoint.sh
COPY --chown=1000:1000 entrypoint.sh /entrypoint.sh
RUN chmod +x entrypoint.sh
USER 1000
ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
#EXTRA_DOCKERFILE_LINES__END
9 changes: 5 additions & 4 deletions flavors/ci_light/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -209,7 +209,7 @@ RUN wget -q -O - https://raw.githubusercontent.com/dotenv-linter/dotenv-linter/m
################################
# Installs python dependencies #
################################
COPY megalinter /megalinter
COPY --chown=1000:1000 megalinter /megalinter
RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
&& PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
&& rm -rf /var/cache/apk/* \
Expand All @@ -218,8 +218,8 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
#######################################
# Copy scripts and rules to container #
#######################################
COPY megalinter/descriptors /megalinter-descriptors
COPY TEMPLATES /action/lib/.automation
COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
COPY --chown=1000:1000 TEMPLATES /action/lib/.automation

###########################
# Get the build arguments #
Expand Down Expand Up @@ -258,7 +258,8 @@ LABEL com.github.actions.name="MegaLinter" \
org.opencontainers.image.description="Lint your code base with GitHub Actions"

#EXTRA_DOCKERFILE_LINES__START
COPY entrypoint.sh /entrypoint.sh
COPY --chown=1000:1000 entrypoint.sh /entrypoint.sh
RUN chmod +x entrypoint.sh
USER 1000
ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
#EXTRA_DOCKERFILE_LINES__END
9 changes: 5 additions & 4 deletions flavors/cupcake/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -450,7 +450,7 @@ ENV KICS_QUERIES_PATH=/opt/kics/assets/queries KICS_LIBRARIES_PATH=/opt/kics/ass
################################
# Installs python dependencies #
################################
COPY megalinter /megalinter
COPY --chown=1000:1000 megalinter /megalinter
RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
&& PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
&& rm -rf /var/cache/apk/* \
Expand All @@ -459,8 +459,8 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
#######################################
# Copy scripts and rules to container #
#######################################
COPY megalinter/descriptors /megalinter-descriptors
COPY TEMPLATES /action/lib/.automation
COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
COPY --chown=1000:1000 TEMPLATES /action/lib/.automation

###########################
# Get the build arguments #
Expand Down Expand Up @@ -499,7 +499,8 @@ LABEL com.github.actions.name="MegaLinter" \
org.opencontainers.image.description="Lint your code base with GitHub Actions"

#EXTRA_DOCKERFILE_LINES__START
COPY entrypoint.sh /entrypoint.sh
COPY --chown=1000:1000 entrypoint.sh /entrypoint.sh
RUN chmod +x entrypoint.sh
USER 1000
ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
#EXTRA_DOCKERFILE_LINES__END
9 changes: 5 additions & 4 deletions flavors/documentation/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -296,7 +296,7 @@ RUN printf '#!/bin/bash \n\nif [[ -x "$1" ]]; then exit 0; else echo "Error: Fil
################################
# Installs python dependencies #
################################
COPY megalinter /megalinter
COPY --chown=1000:1000 megalinter /megalinter
RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
&& PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
&& rm -rf /var/cache/apk/* \
Expand All @@ -305,8 +305,8 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
#######################################
# Copy scripts and rules to container #
#######################################
COPY megalinter/descriptors /megalinter-descriptors
COPY TEMPLATES /action/lib/.automation
COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
COPY --chown=1000:1000 TEMPLATES /action/lib/.automation

###########################
# Get the build arguments #
Expand Down Expand Up @@ -345,7 +345,8 @@ LABEL com.github.actions.name="MegaLinter" \
org.opencontainers.image.description="Lint your code base with GitHub Actions"

#EXTRA_DOCKERFILE_LINES__START
COPY entrypoint.sh /entrypoint.sh
COPY --chown=1000:1000 entrypoint.sh /entrypoint.sh
RUN chmod +x entrypoint.sh
USER 1000
ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
#EXTRA_DOCKERFILE_LINES__END
9 changes: 5 additions & 4 deletions flavors/dotnet/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -391,7 +391,7 @@ RUN curl --retry 5 --retry-delay 5 -sLO "${ARM_TTK_URI}" \
################################
# Installs python dependencies #
################################
COPY megalinter /megalinter
COPY --chown=1000:1000 megalinter /megalinter
RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
&& PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
&& rm -rf /var/cache/apk/* \
Expand All @@ -400,8 +400,8 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
#######################################
# Copy scripts and rules to container #
#######################################
COPY megalinter/descriptors /megalinter-descriptors
COPY TEMPLATES /action/lib/.automation
COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
COPY --chown=1000:1000 TEMPLATES /action/lib/.automation

###########################
# Get the build arguments #
Expand Down Expand Up @@ -440,7 +440,8 @@ LABEL com.github.actions.name="MegaLinter" \
org.opencontainers.image.description="Lint your code base with GitHub Actions"

#EXTRA_DOCKERFILE_LINES__START
COPY entrypoint.sh /entrypoint.sh
COPY --chown=1000:1000 entrypoint.sh /entrypoint.sh
RUN chmod +x entrypoint.sh
USER 1000
ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
#EXTRA_DOCKERFILE_LINES__END
9 changes: 5 additions & 4 deletions flavors/go/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -311,7 +311,7 @@ RUN printf '#!/bin/bash \n\nif [[ -x "$1" ]]; then exit 0; else echo "Error: Fil
################################
# Installs python dependencies #
################################
COPY megalinter /megalinter
COPY --chown=1000:1000 megalinter /megalinter
RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
&& PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
&& rm -rf /var/cache/apk/* \
Expand All @@ -320,8 +320,8 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
#######################################
# Copy scripts and rules to container #
#######################################
COPY megalinter/descriptors /megalinter-descriptors
COPY TEMPLATES /action/lib/.automation
COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
COPY --chown=1000:1000 TEMPLATES /action/lib/.automation

###########################
# Get the build arguments #
Expand Down Expand Up @@ -360,7 +360,8 @@ LABEL com.github.actions.name="MegaLinter" \
org.opencontainers.image.description="Lint your code base with GitHub Actions"

#EXTRA_DOCKERFILE_LINES__START
COPY entrypoint.sh /entrypoint.sh
COPY --chown=1000:1000 entrypoint.sh /entrypoint.sh
RUN chmod +x entrypoint.sh
USER 1000
ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
#EXTRA_DOCKERFILE_LINES__END
9 changes: 5 additions & 4 deletions flavors/java/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -324,7 +324,7 @@ RUN wget --quiet https://github.com/pmd/pmd/releases/download/pmd_releases%2F${P
################################
# Installs python dependencies #
################################
COPY megalinter /megalinter
COPY --chown=1000:1000 megalinter /megalinter
RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
&& PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
&& rm -rf /var/cache/apk/* \
Expand All @@ -333,8 +333,8 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
#######################################
# Copy scripts and rules to container #
#######################################
COPY megalinter/descriptors /megalinter-descriptors
COPY TEMPLATES /action/lib/.automation
COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
COPY --chown=1000:1000 TEMPLATES /action/lib/.automation

###########################
# Get the build arguments #
Expand Down Expand Up @@ -373,7 +373,8 @@ LABEL com.github.actions.name="MegaLinter" \
org.opencontainers.image.description="Lint your code base with GitHub Actions"

#EXTRA_DOCKERFILE_LINES__START
COPY entrypoint.sh /entrypoint.sh
COPY --chown=1000:1000 entrypoint.sh /entrypoint.sh
RUN chmod +x entrypoint.sh
USER 1000
ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
#EXTRA_DOCKERFILE_LINES__END
9 changes: 5 additions & 4 deletions flavors/javascript/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -312,7 +312,7 @@ RUN printf '#!/bin/bash \n\nif [[ -x "$1" ]]; then exit 0; else echo "Error: Fil
################################
# Installs python dependencies #
################################
COPY megalinter /megalinter
COPY --chown=1000:1000 megalinter /megalinter
RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
&& PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
&& rm -rf /var/cache/apk/* \
Expand All @@ -321,8 +321,8 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
#######################################
# Copy scripts and rules to container #
#######################################
COPY megalinter/descriptors /megalinter-descriptors
COPY TEMPLATES /action/lib/.automation
COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
COPY --chown=1000:1000 TEMPLATES /action/lib/.automation

###########################
# Get the build arguments #
Expand Down Expand Up @@ -361,7 +361,8 @@ LABEL com.github.actions.name="MegaLinter" \
org.opencontainers.image.description="Lint your code base with GitHub Actions"

#EXTRA_DOCKERFILE_LINES__START
COPY entrypoint.sh /entrypoint.sh
COPY --chown=1000:1000 entrypoint.sh /entrypoint.sh
RUN chmod +x entrypoint.sh
USER 1000
ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
#EXTRA_DOCKERFILE_LINES__END
9 changes: 5 additions & 4 deletions flavors/php/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -340,7 +340,7 @@ RUN composer global require --ignore-platform-reqs overtrue/phplint ^5.3 \
################################
# Installs python dependencies #
################################
COPY megalinter /megalinter
COPY --chown=1000:1000 megalinter /megalinter
RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
&& PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
&& rm -rf /var/cache/apk/* \
Expand All @@ -349,8 +349,8 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
#######################################
# Copy scripts and rules to container #
#######################################
COPY megalinter/descriptors /megalinter-descriptors
COPY TEMPLATES /action/lib/.automation
COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
COPY --chown=1000:1000 TEMPLATES /action/lib/.automation

###########################
# Get the build arguments #
Expand Down Expand Up @@ -389,7 +389,8 @@ LABEL com.github.actions.name="MegaLinter" \
org.opencontainers.image.description="Lint your code base with GitHub Actions"

#EXTRA_DOCKERFILE_LINES__START
COPY entrypoint.sh /entrypoint.sh
COPY --chown=1000:1000 entrypoint.sh /entrypoint.sh
RUN chmod +x entrypoint.sh
USER 1000
ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
#EXTRA_DOCKERFILE_LINES__END
9 changes: 5 additions & 4 deletions flavors/python/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -307,7 +307,7 @@ RUN printf '#!/bin/bash \n\nif [[ -x "$1" ]]; then exit 0; else echo "Error: Fil
################################
# Installs python dependencies #
################################
COPY megalinter /megalinter
COPY --chown=1000:1000 megalinter /megalinter
RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
&& PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
&& rm -rf /var/cache/apk/* \
Expand All @@ -316,8 +316,8 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
#######################################
# Copy scripts and rules to container #
#######################################
COPY megalinter/descriptors /megalinter-descriptors
COPY TEMPLATES /action/lib/.automation
COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
COPY --chown=1000:1000 TEMPLATES /action/lib/.automation

###########################
# Get the build arguments #
Expand Down Expand Up @@ -356,7 +356,8 @@ LABEL com.github.actions.name="MegaLinter" \
org.opencontainers.image.description="Lint your code base with GitHub Actions"

#EXTRA_DOCKERFILE_LINES__START
COPY entrypoint.sh /entrypoint.sh
COPY --chown=1000:1000 entrypoint.sh /entrypoint.sh
RUN chmod +x entrypoint.sh
USER 1000
ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
#EXTRA_DOCKERFILE_LINES__END
9 changes: 5 additions & 4 deletions flavors/ruby/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -297,7 +297,7 @@ RUN printf '#!/bin/bash \n\nif [[ -x "$1" ]]; then exit 0; else echo "Error: Fil
################################
# Installs python dependencies #
################################
COPY megalinter /megalinter
COPY --chown=1000:1000 megalinter /megalinter
RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
&& PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
&& rm -rf /var/cache/apk/* \
Expand All @@ -306,8 +306,8 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
#######################################
# Copy scripts and rules to container #
#######################################
COPY megalinter/descriptors /megalinter-descriptors
COPY TEMPLATES /action/lib/.automation
COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
COPY --chown=1000:1000 TEMPLATES /action/lib/.automation

###########################
# Get the build arguments #
Expand Down Expand Up @@ -346,7 +346,8 @@ LABEL com.github.actions.name="MegaLinter" \
org.opencontainers.image.description="Lint your code base with GitHub Actions"

#EXTRA_DOCKERFILE_LINES__START
COPY entrypoint.sh /entrypoint.sh
COPY --chown=1000:1000 entrypoint.sh /entrypoint.sh
RUN chmod +x entrypoint.sh
USER 1000
ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
#EXTRA_DOCKERFILE_LINES__END
9 changes: 5 additions & 4 deletions flavors/rust/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -291,7 +291,7 @@ RUN printf '#!/bin/bash \n\nif [[ -x "$1" ]]; then exit 0; else echo "Error: Fil
################################
# Installs python dependencies #
################################
COPY megalinter /megalinter
COPY --chown=1000:1000 megalinter /megalinter
RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
&& PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
&& rm -rf /var/cache/apk/* \
Expand All @@ -300,8 +300,8 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
#######################################
# Copy scripts and rules to container #
#######################################
COPY megalinter/descriptors /megalinter-descriptors
COPY TEMPLATES /action/lib/.automation
COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
COPY --chown=1000:1000 TEMPLATES /action/lib/.automation

###########################
# Get the build arguments #
Expand Down Expand Up @@ -340,7 +340,8 @@ LABEL com.github.actions.name="MegaLinter" \
org.opencontainers.image.description="Lint your code base with GitHub Actions"

#EXTRA_DOCKERFILE_LINES__START
COPY entrypoint.sh /entrypoint.sh
COPY --chown=1000:1000 entrypoint.sh /entrypoint.sh
RUN chmod +x entrypoint.sh
USER 1000
ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
#EXTRA_DOCKERFILE_LINES__END
Loading

0 comments on commit 05d9d00

Please sign in to comment.