Run Docker container as user 1000 (#1975)

Kurt-von-Laven · Kurt-von-Laven · commit 080d06b9e8fb · 2023-04-04T12:38:50.000-07:00
Previously, mega-linter-runner ran the MegaLinter Docker image as root.
In the Docker image, chown the /megalinter, /megalinter-descriptors, and
/action/lib/.automation directories to be owned by user and group 1000.
Users whose files became owned by root as a consequence of having run a
previous version of MegaLinter will need to chown them to be owned by
user 1000 when upgrading MegaLinter.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,6 +15,8 @@ Note: Can be used with `oxsecurity/megalinter@beta` in your GitHub Action mega-l
 - Linter enhancements & fixes
 
 - Core
+  - Make Docker image rootless, and run it as user 1000 rather than root by
+    @Kurt-von-Laven in [#1975](https://github.com/oxsecurity/megalinter/issues/1975).
 
 - Documentation
 
diff --git a/Dockerfile b/Dockerfile
@@ -666,7 +666,7 @@ ENV KICS_QUERIES_PATH=/opt/kics/assets/queries KICS_LIBRARIES_PATH=/opt/kics/ass
 ################################
 # Installs python dependencies #
 ################################
-COPY megalinter /megalinter
+COPY --chown=1000:1000 megalinter /megalinter
 RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
     && PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
     && rm -rf /var/cache/apk/* \
@@ -675,8 +675,8 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
 #######################################
 # Copy scripts and rules to container #
 #######################################
-COPY megalinter/descriptors /megalinter-descriptors
-COPY TEMPLATES /action/lib/.automation
+COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
+COPY --chown=1000:1000 TEMPLATES /action/lib/.automation
 
 ###########################
 # Get the build arguments #
diff --git a/mega-linter-runner/lib/runner.js b/mega-linter-runner/lib/runner.js
@@ -132,6 +132,7 @@ ERROR: Docker engine has not been found on your system.
     if (options["containerName"]) {
       commandArgs.push(...["--name", options["containerName"]]);
     }
+    commandArgs.push(...["--user", `1000:1000`]);
     commandArgs.push(...["-v", "/var/run/docker.sock:/var/run/docker.sock:rw"]);
     commandArgs.push(...["-v", `${lintPath}:/tmp/lint:rw`]);
     if (options.fix === true) {

Original file line number	Diff line number	Diff line change
`@@ -132,6 +132,7 @@ ERROR: Docker engine has not been found on your system.`
`132`	`132`	`if (options["containerName"]) {`
`133`	`133`	`commandArgs.push(...["--name", options["containerName"]]);`
`134`	`134`	`}`
	`135`	+ commandArgs.push(...["--user", `1000:1000`]);
`135`	`136`	`commandArgs.push(...["-v", "/var/run/docker.sock:/var/run/docker.sock:rw"]);`
`136`	`137`	commandArgs.push(...["-v", `${lintPath}:/tmp/lint:rw`]);
`137`	`138`	`if (options.fix === true) {`