chore: Implement security fixes (aristanetworks#683)

* chore: Update Dockerfile to use non-root user * fix(anta): Update regexp syntax for better readability * Update Dockerfile * Update Dockerfile * Update Dockerfile * Update Dockerfile * fix(anta): Update regexp syntax for better readability --------- Co-authored-by: Matthieu Tâche <[email protected]>
titom73 · May 17, 2024 · 29f00fd · 29f00fd
1 parent 2a51368
commit 29f00fd
Showing 1 changed file with 18 additions and 6 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -10,17 +10,24 @@ RUN pip install --upgrade pip
 WORKDIR /local
 COPY . /local
 
-ENV PYTHONPATH=/local
-ENV PATH=$PATH:/root/.local/bin
+RUN python -m venv /opt/venv
 
-RUN pip --no-cache-dir install --user .
+
+ENV PATH="/opt/venv/bin:$PATH"
+
+RUN apk add --no-cache build-base # Add build-base package
+RUN pip --no-cache-dir install "." &&\
+    pip --no-cache-dir install ".[cli]"
 
 # ----------------------------------- #
 
 ### BASE
 
 FROM python:${PYTHON_VER}-${IMG_OPTION} AS BASE
 
+# Add a system user
+RUN adduser --system anta
+
 # Opencontainer labels
 # Labels version and revision will be updating
 # during the CI with accurate information
@@ -40,7 +47,12 @@ LABEL   "org.opencontainers.image.title"="anta" \
         "org.opencontainers.image.revision"="dev" \
         "org.opencontainers.image.version"="dev"
 
-COPY --from=BUILDER /root/.local/ /root/.local
-ENV PATH=$PATH:/root/.local/bin
+# Copy artifacts from builder
+COPY --from=BUILDER /opt/venv /opt/venv
+
+# Define PATH and default user
+ENV PATH="/opt/venv/bin:$PATH"
+
+USER anta
 
-ENTRYPOINT [ "/root/.local/bin/anta" ]
+ENTRYPOINT [ "/opt/venv/bin/anta" ]