diff --git a/.github/workflows/docker-dev.yaml b/.github/workflows/docker-dev.yaml index 3884e26..7c57429 100644 --- a/.github/workflows/docker-dev.yaml +++ b/.github/workflows/docker-dev.yaml @@ -62,4 +62,7 @@ jobs: with: tag: ${{ env.IMAGE_NAME }} path: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }} - dockerfile: ${{ env.DOCKERFILE }} \ No newline at end of file + dockerfile: ${{ env.DOCKERFILE }} + hadolint-severity: none + dockle-severity: FATAL + trivy-severity: CRITICAL \ No newline at end of file diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index b3e5afb..13b400e 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -62,4 +62,7 @@ jobs: with: tag: ${{ env.IMAGE_NAME }} path: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }} - dockerfile: ${{ env.DOCKERFILE }} \ No newline at end of file + dockerfile: ${{ env.DOCKERFILE }} + hadolint-severity: none + dockle-severity: FATAL + trivy-severity: CRITICAL \ No newline at end of file diff --git a/ckan-pycsw/Dockerfile b/ckan-pycsw/Dockerfile index 3912846..9266af1 100644 --- a/ckan-pycsw/Dockerfile +++ b/ckan-pycsw/Dockerfile @@ -1,6 +1,11 @@ FROM python:3.11.5-slim-bullseye LABEL maintainer="mnl.janez@gmail.com" +# Production non-root user +ENV USERNAME=ckan-pycsw +ENV USER_UID=10001 +ENV USER_GID=$USER_UID +# ckan-pycsw envvars ENV APP_DIR=/app ENV TZ=UTC RUN echo ${TZ} > /etc/timezone @@ -13,14 +18,19 @@ ENV DEV_MODE=False ENV TIMEOUT=300 ENV PYCSW_CRON_DAYS_INTERVAL=2 -RUN apt-get -q -y update && \ - apt-get install -y wget && \ +WORKDIR ${APP_DIR} + +RUN groupadd --gid $USER_GID $USERNAME \ + && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME && \ + chown -R $USERNAME:$USERNAME $APP_DIR && \ + apt-get -q -y update && apt-get install -y \ + wget && \ DEBIAN_FRONTEND=noninteractive apt-get -yq install gettext-base && \ wget -O /wait-for https://raw.githubusercontent.com/eficode/wait-for/v2.2.3/wait-for && \ chmod +x /wait-for && \ - python3 -m pip install pdm + python3 -m pip install pdm && \ + rm -rf /var/lib/apt/lists/* -WORKDIR ${APP_DIR} COPY pyproject.toml pdm.lock ./ RUN pdm install --no-self --group prod @@ -30,5 +40,7 @@ COPY ckan2pycsw ckan2pycsw EXPOSE ${PYCSW_PORT}/TCP +USER $USERNAME + ENTRYPOINT ["/bin/bash", "./entrypoint.sh"] CMD ["tail", "-f", "/dev/null"] \ No newline at end of file diff --git a/ckan-pycsw/Dockerfile.dev b/ckan-pycsw/Dockerfile.dev index d0eff40..91ba5b9 100644 --- a/ckan-pycsw/Dockerfile.dev +++ b/ckan-pycsw/Dockerfile.dev @@ -1,6 +1,11 @@ FROM python:3.11.5-slim-bullseye LABEL maintainer="mnl.janez@gmail.com" +# Production non-root user +ENV USERNAME=ckan-pycsw +ENV USER_UID=10001 +ENV USER_GID=$USER_UID +# ckan-pycsw envvars ENV APP_DIR=/app ENV TZ=UTC RUN echo ${TZ} > /etc/timezone @@ -13,14 +18,17 @@ ENV DEV_MODE=True ENV PYCSW_DEV_PORT=5678 ENV TIMEOUT=300 -RUN apt-get -q -y update && \ - apt-get install -y wget procps && \ +RUN apt-get -q -y update && apt-get install -y \ + wget \ + procps && \ DEBIAN_FRONTEND=noninteractive apt-get -yq install gettext-base && \ wget -O /wait-for https://raw.githubusercontent.com/eficode/wait-for/v2.2.4/wait-for && \ chmod +x /wait-for && \ - python3 -m pip install pdm debugpy + python3 -m pip install pdm debugpy && \ + rm -rf /var/lib/apt/lists/* WORKDIR ${APP_DIR} + COPY pyproject.toml pdm.lock ./ RUN pdm install --no-self --group prod @@ -31,6 +39,8 @@ COPY ckan2pycsw ckan2pycsw EXPOSE ${PYCSW_PORT}/TCP EXPOSE ${PYCSW_DEV_PORT}/TCP +USER $USERNAME + # Set entrypoint with debugpy ENTRYPOINT ["/bin/bash", "-c", "python3 -m debugpy --listen 0.0.0.0:${PYCSW_DEV_PORT} --wait-for-client ./entrypoint_dev.sh"] CMD ["pdm", "run", "python3", "-m", "gunicorn", "pycsw.wsgi:application", "-b", "0.0.0.0:${PYCSW_PORT}"] \ No newline at end of file diff --git a/ckan-pycsw/Dockerfile.ghcr b/ckan-pycsw/Dockerfile.ghcr index 14bcadd..5057f63 100644 --- a/ckan-pycsw/Dockerfile.ghcr +++ b/ckan-pycsw/Dockerfile.ghcr @@ -1,6 +1,11 @@ FROM ghcr.io/mjanez/ckan-pycsw:latest LABEL maintainer="mnl.janez@gmail.com" +# Production non-root user +ENV USERNAME=ckan-pycsw +ENV USER_UID=10001 +ENV USER_GID=$USER_UID +# ckan-pycsw envvars ENV APP_DIR=/app ENV TZ=UTC RUN echo ${TZ} > /etc/timezone @@ -17,4 +22,6 @@ WORKDIR ${APP_DIR} COPY ckan-pycsw/conf/pycsw.conf.template ckan-pycsw/docker-entrypoint.d/entrypoint.sh ./ +USER $USERNAME + ENTRYPOINT ["/bin/bash", "./entrypoint.sh"] \ No newline at end of file diff --git a/ckan-pycsw/Dockerfile.ghcr.dev b/ckan-pycsw/Dockerfile.ghcr.dev index e8f4029..4f3b4e9 100644 --- a/ckan-pycsw/Dockerfile.ghcr.dev +++ b/ckan-pycsw/Dockerfile.ghcr.dev @@ -1,6 +1,11 @@ FROM ghcr.io/mjanez/ckan-pycsw-dev:latest LABEL maintainer="mnl.janez@gmail.com" +# Production non-root user +ENV USERNAME=ckan-pycsw +ENV USER_UID=10001 +ENV USER_GID=$USER_UID +# ckan-pycsw envvars ENV APP_DIR=/app ENV TZ=UTC RUN echo ${TZ} > /etc/timezone @@ -20,6 +25,8 @@ COPY ckan-pycsw/conf/pycsw.conf.template ckan-pycsw/docker-entrypoint.d/entrypoi EXPOSE ${PYCSW_PORT}/TCP EXPOSE ${PYCSW_DEV_PORT}/TCP +USER $USERNAME + # Set entrypoint with debugpy ENTRYPOINT ["/bin/bash", "-c", "python3 -m debugpy --listen 0.0.0.0:${PYCSW_DEV_PORT} --wait-for-client ./entrypoint_dev.sh"] CMD ["pdm", "run", "python3", "-m", "gunicorn", "pycsw.wsgi:application", "-b", "0.0.0.0:${PYCSW_PORT}"] \ No newline at end of file