docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #19101 from dvdksn/scout-policy-nonrootuser-remediationexample 

scout(policy): diff compliant/non-compliant Dockerfile, non-root user
This commit is contained in:
David Karlsson 2024-01-15 17:29:35 +01:00 committed by GitHub
parent 513c588368 fea5253efa
commit f416843b4a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 33 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
content/scout/policy/_index.md
View File

@ -239,3 +239,36 @@ specify a non-root default user for the runtime stage.
To make your images compliant with this policy, use the To make your images compliant with this policy, use the
[`USER`](../../engine/reference/builder.md#user) Dockerfile instruction to set [`USER`](../../engine/reference/builder.md#user) Dockerfile instruction to set
a default user that doesn't have root privileges for the runtime stage. a default user that doesn't have root privileges for the runtime stage.
The following Dockerfile snippets shows the difference between a compliant and
non-compliant image.
{{< tabs >}}
{{< tab name="Non-compliant" >}}
```dockerfile
FROM alpine AS builder
COPY Makefile ./src /
RUN make build
FROM alpine AS runtime
COPY --from=builder bin/production /app
ENTRYPOINT ["/app/production"]
```
{{< /tab >}}
{{< tab name="Compliant" >}}
```dockerfile {hl_lines=7}
FROM alpine AS builder
COPY Makefile ./src /
RUN make build
FROM alpine AS runtime
COPY --from=builder bin/production /app
USER nonroot
ENTRYPOINT ["/app/production"]
```
{{< /tab >}}
{{< /tabs >}}