docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

scout(policy): diff compliant/non-compliant Dockerfile, non-root user 

Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
This commit is contained in:
David Karlsson 2024-01-15 15:39:53 +01:00
parent 513c588368
commit fea5253efa
1 changed files with 33 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
content/scout/policy/_index.md
View File

@ -239,3 +239,36 @@ specify a non-root default user for the runtime stage.
To make your images compliant with this policy, use the To make your images compliant with this policy, use the
[`USER`](../../engine/reference/builder.md#user) Dockerfile instruction to set [`USER`](../../engine/reference/builder.md#user) Dockerfile instruction to set
a default user that doesn't have root privileges for the runtime stage. a default user that doesn't have root privileges for the runtime stage.
The following Dockerfile snippets shows the difference between a compliant and
non-compliant image.
{{< tabs >}}
{{< tab name="Non-compliant" >}}
```dockerfile
FROM alpine AS builder
COPY Makefile ./src /
RUN make build
FROM alpine AS runtime
COPY --from=builder bin/production /app
ENTRYPOINT ["/app/production"]
```
{{< /tab >}}
{{< tab name="Compliant" >}}
```dockerfile {hl_lines=7}
FROM alpine AS builder
COPY Makefile ./src /
RUN make build
FROM alpine AS runtime
COPY --from=builder bin/production /app
USER nonroot
ENTRYPOINT ["/app/production"]
```
{{< /tab >}}
{{< /tabs >}}