Skip to content

build: harden Docker images for least privilege #1273

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tim48-robot wants to merge 6 commits into
base: develop
Choose a base branch
from
Open

build: harden Docker images for least privilege #1273

tim48-robot wants to merge 6 commits into from

Conversation

@tim48-robot
Copy link
Contributor

@tim48-robot tim48-robot commented Jan 4, 2026

fixes Medium: Docker COPY . . (possible sensitive file inclusion).
fixes Medium: container running as root.
Addresses “copied resources should not be writable by non‑root.

image

@github-actions
Copy link

github-actions bot commented Jan 4, 2026

⚠️ PR Description Issues Detected

Please update the PR description to address these issues.

@marcgc21 marcgc21 requested a review from Copilot January 5, 2026 11:53
Copilot AI reviewed Jan 5, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens Docker images for security by implementing least privilege principles across three Dockerfiles. It addresses security scanner findings related to sensitive file inclusion and running containers as root.

Key changes:

  • Creates and switches to non-root users in all containers to prevent running as root
  • Replaces COPY . . with explicit selective file copying to avoid including sensitive files
  • Changes npm install to npm ci for more secure, deterministic builds
  • Adds cleanup of apt cache to reduce image size and attack surface

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
firebase-emulator/Dockerfile Adds non-root 'firebase' user, explicit file copying, apt cache cleanup, and creates firebase-debug.log with proper ownership
Dockerfile-playwright Creates non-root 'app' user, replaces wildcards with explicit file copying in both build and production stages, sets up Playwright cache with proper permissions
Dockerfile Implements non-root 'app' user in production stage, removes .env file from build stage, uses explicit file copying instead of wildcards, switches from npm install to npm ci

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

tim48-robot and others added 3 commits January 5, 2026 20:50
@tim48-robot
fix: change ownership for app files
be7fa29 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@tim48-robot
fix(docker/playwright): ensure user owns app files & directory before…
e02da21 
… execution

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@tim48-robot
fix(dockerfile): set ownership for app files
d802449 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@tim48-robot
Copy link
Contributor Author

tim48-robot commented Jan 5, 2026

wait before merged letme check the hotspot problem

@tim48-robot
fix(docker): make application files read-only to prevent tampering
67d850b 
Add chmod -R 555 after COPY to remove write permissions.
Fixes SonarCloud security hotspot docker:S6504
@tim48-robot
Copy link
Contributor Author

tim48-robot commented Jan 5, 2026
edited
Loading

should be ready to merge, and somehow sonarcloud always does false positive :/

@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 5, 2026

Quality Gate Passed Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

low-complexity needs-description size/S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tim48-robot