Skip to content

Commit

Permalink
Make image rootless, and run it rootless (#1975)
Browse files Browse the repository at this point in the history
Create megalinter user and group in Docker image, both with ID 1000, and
activate this user after dependencies have been installed. Run Docker
container as current user via mega-linter-runner. The change to
mega-linter-runner only affects POSIX platforms, because process.getuid
and process.getgid are only available there. Previously,
mega-linter-runner ran the MegaLinter Docker image as root. Users whose
files became owned by root as a consequence of this behavior will need
to chown them to be owned by the appropriate user when upgrading
MegaLinter.
  • Loading branch information
Kurt-von-Laven committed Apr 3, 2023
1 parent 785a1eb commit 7c8104a
Show file tree
Hide file tree
Showing 3 changed files with 30 additions and 17 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ Note: Can be used with `oxsecurity/megalinter@beta` in your GitHub Action mega-l

- Core
- Fix failure of AzureCommentReporter when there is no pull request found in ENV vars
- Run Docker container as current user rather than root by @Kurt-von-Laven in
[#1975](https://github.com/oxsecurity/megalinter/issues/1975).

- Documentation

Expand Down
41 changes: 24 additions & 17 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -634,35 +634,42 @@ RUN dotnet tool install --global Microsoft.CST.DevSkim.CLI --version 0.7.104 \
&& find ${ML_THIRD_PARTY_DIR} -type f -not -name 'LICENSE*' -delete -o -type d -empty -delete \
&& find /tmp -path '/tmp/tmp.*' -type f -name 'misspell*' -delete -o -type d -empty -delete \

# tsqllint installation
# Next line commented because already managed by another linter
# RUN wget --tries=5 -q -O dotnet-install.sh https://dot.net/v1/dotnet-install.sh \
# && chmod +x dotnet-install.sh \
# && ./dotnet-install.sh --install-dir /usr/share/dotnet -channel 6.0 -version latest
# Next line commented because already managed by another linter
# ENV PATH="${PATH}:/root/.dotnet/tools:/usr/share/dotnet"
# tsqllint installation
# Next line commented because already managed by another linter
# RUN wget --tries=5 -q -O dotnet-install.sh https://dot.net/v1/dotnet-install.sh \
# && chmod +x dotnet-install.sh \
# && ./dotnet-install.sh --install-dir /usr/share/dotnet -channel 6.0 -version latest
# Next line commented because already managed by another linter
# ENV PATH="${PATH}:/root/.dotnet/tools:/usr/share/dotnet"
&& dotnet tool install --global TSQLLint \

# tflint installation
# Managed with COPY --link --from=tflint /usr/local/bin/tflint /usr/bin/
# tflint installation
# Managed with COPY --link --from=tflint /usr/local/bin/tflint /usr/bin/

# terrascan installation
# Managed with COPY --link --from=terrascan /go/bin/terrascan /usr/bin/
# terrascan installation
# Managed with COPY --link --from=terrascan /go/bin/terrascan /usr/bin/

# terragrunt installation
# Managed with COPY --link --from=terragrunt /usr/local/bin/terragrunt /usr/bin/
# terragrunt installation
# Managed with COPY --link --from=terragrunt /usr/local/bin/terragrunt /usr/bin/

# terraform-fmt installation
# Managed with COPY --link --from=terragrunt /bin/terraform /usr/bin/
# terraform-fmt installation
# Managed with COPY --link --from=terragrunt /bin/terraform /usr/bin/

# kics installation
# Managed with COPY --link --from=kics /app/bin/kics /usr/bin/
# kics installation
# Managed with COPY --link --from=kics /app/bin/kics /usr/bin/
&& mkdir -p /opt/kics/assets
ENV KICS_QUERIES_PATH=/opt/kics/assets/queries KICS_LIBRARIES_PATH=/opt/kics/assets/libraries
# Managed with COPY --from=kics /app/bin/assets /opt/kics/assets/

#OTHER__END

#######################################
# Create and activate megalinter user #
#######################################
RUN groupadd --gid 1000 megalinter \
&& adduser --uid 1000 megalinter
USER megalinter

################################
# Installs python dependencies #
################################
Expand Down
4 changes: 4 additions & 0 deletions mega-linter-runner/lib/runner.js
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ const optionsDefinition = require("./options");
const { spawnSync } = require("child_process");
const c = require("chalk");
const path = require("path");
const { getgid, getuid } = require("process");
const which = require("which");
const fs = require("fs-extra");
const { MegaLinterUpgrader } = require("./upgrade");
Expand Down Expand Up @@ -132,6 +133,9 @@ ERROR: Docker engine has not been found on your system.
if (options["containerName"]) {
commandArgs.push(...["--name", options["containerName"]]);
}
if (getuid && getgid) {
commandArgs.push(...["--user", `${getuid()}:${getgid()}`]);
}
commandArgs.push(...["-v", "/var/run/docker.sock:/var/run/docker.sock:rw"]);
commandArgs.push(...["-v", `${lintPath}:/tmp/lint:rw`]);
if (options.fix === true) {
Expand Down

0 comments on commit 7c8104a

Please sign in to comment.