Make image rootless, and run it rootless (#1975)

Create megalinter user and group in Docker image, both with ID 1000, and
activate this user after dependencies have been installed. Run Docker
container as current user via mega-linter-runner. The change to
mega-linter-runner only affects POSIX platforms, because process.getuid
and process.getgid are only available there. Previously,
mega-linter-runner ran the MegaLinter Docker image as root. Users whose
files became owned by root as a consequence of this behavior will need
to chown them to be owned by the appropriate user when upgrading
MegaLinter.

Author: Kurt-von-Laven

CHANGELOG.md

@@ -16,6 +16,8 @@ Note: Can be used with `oxsecurity/megalinter@beta` in your GitHub Action mega-l
 
 - Core
   - Fix failure of AzureCommentReporter when there is no pull request found in ENV vars
+  - Make Docker image rootless, and run it as current user rather than root on
+  POSIX by @Kurt-von-Laven in [#1975](https://github.com/oxsecurity/megalinter/issues/1975).
 
 - Documentation
 

Dockerfile

@@ -634,39 +634,46 @@ RUN dotnet tool install --global Microsoft.CST.DevSkim.CLI --version 0.7.104 \
     && find ${ML_THIRD_PARTY_DIR} -type f -not -name 'LICENSE*' -delete -o -type d -empty -delete \
     && find /tmp -path '/tmp/tmp.*' -type f -name 'misspell*' -delete -o -type d -empty -delete \
 
-# tsqllint installation
-# Next line commented because already managed by another linter
-# RUN wget --tries=5 -q -O dotnet-install.sh https://dot.net/v1/dotnet-install.sh \
-#     && chmod +x dotnet-install.sh \
-#     && ./dotnet-install.sh --install-dir /usr/share/dotnet -channel 6.0 -version latest
-# Next line commented because already managed by another linter
-# ENV PATH="${PATH}:/root/.dotnet/tools:/usr/share/dotnet"
+    # tsqllint installation
+    # Next line commented because already managed by another linter
+    # RUN wget --tries=5 -q -O dotnet-install.sh https://dot.net/v1/dotnet-install.sh \
+    #     && chmod +x dotnet-install.sh \
+    #     && ./dotnet-install.sh --install-dir /usr/share/dotnet -channel 6.0 -version latest
+    # Next line commented because already managed by another linter
+    # ENV PATH="${PATH}:/root/.dotnet/tools:/usr/share/dotnet"
     && dotnet tool install --global TSQLLint \
 
-# tflint installation
-# Managed with COPY --link --from=tflint /usr/local/bin/tflint /usr/bin/
+    # tflint installation
+    # Managed with COPY --link --from=tflint /usr/local/bin/tflint /usr/bin/
 
-# terrascan installation
-# Managed with COPY --link --from=terrascan /go/bin/terrascan /usr/bin/
+    # terrascan installation
+    # Managed with COPY --link --from=terrascan /go/bin/terrascan /usr/bin/
 
-# terragrunt installation
-# Managed with COPY --link --from=terragrunt /usr/local/bin/terragrunt /usr/bin/
+    # terragrunt installation
+    # Managed with COPY --link --from=terragrunt /usr/local/bin/terragrunt /usr/bin/
 
-# terraform-fmt installation
-# Managed with COPY --link --from=terragrunt /bin/terraform /usr/bin/
+    # terraform-fmt installation
+    # Managed with COPY --link --from=terragrunt /bin/terraform /usr/bin/
 
-# kics installation
-# Managed with COPY --link --from=kics /app/bin/kics /usr/bin/
+    # kics installation
+    # Managed with COPY --link --from=kics /app/bin/kics /usr/bin/
     && mkdir -p /opt/kics/assets
 ENV KICS_QUERIES_PATH=/opt/kics/assets/queries KICS_LIBRARIES_PATH=/opt/kics/assets/libraries
 # Managed with COPY --from=kics /app/bin/assets /opt/kics/assets/
 
 #OTHER__END
 
+#######################################
+# Create and activate megalinter user #
+#######################################
+RUN groupadd --gid 1000 megalinter \
+    && adduser --uid 1000 megalinter
+USER megalinter
+
 ################################
 # Installs python dependencies #
 ################################
-COPY megalinter /megalinter
+COPY --chown=megalinter:megalinter megalinter /megalinter
 RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
     && PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
     && rm -rf /var/cache/apk/* \
@@ -675,8 +682,8 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
 #######################################
 # Copy scripts and rules to container #
 #######################################
-COPY megalinter/descriptors /megalinter-descriptors
-COPY TEMPLATES /action/lib/.automation
+COPY --chown=megalinter:megalinter megalinter/descriptors /megalinter-descriptors
+COPY --chown=megalinter:megalinter TEMPLATES /action/lib/.automation
 
 ###########################
 # Get the build arguments #

mega-linter-runner/lib/runner.js

@@ -4,6 +4,7 @@ const optionsDefinition = require("./options");
 const { spawnSync } = require("child_process");
 const c = require("chalk");
 const path = require("path");
+const { getgid, getuid } = require("process");
 const which = require("which");
 const fs = require("fs-extra");
 const { MegaLinterUpgrader } = require("./upgrade");
@@ -132,6 +133,9 @@ ERROR: Docker engine has not been found on your system.
     if (options["containerName"]) {
       commandArgs.push(...["--name", options["containerName"]]);
     }
+    if (getuid && getgid) {
+      commandArgs.push(...["--user", `${getuid()}:${getgid()}`]);
+    }
     commandArgs.push(...["-v", "/var/run/docker.sock:/var/run/docker.sock:rw"]);
     commandArgs.push(...["-v", `${lintPath}:/tmp/lint:rw`]);
     if (options.fix === true) {