From 29f00fd061e8fcd5b91c808c00f2982876d269c8 Mon Sep 17 00:00:00 2001 From: Thomas Grimonet Date: Fri, 17 May 2024 14:43:44 +0200 Subject: [PATCH] chore: Implement security fixes (#683) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * chore: Update Dockerfile to use non-root user * fix(anta): Update regexp syntax for better readability * Update Dockerfile * Update Dockerfile * Update Dockerfile * Update Dockerfile * fix(anta): Update regexp syntax for better readability --------- Co-authored-by: Matthieu Tâche --- Dockerfile | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index f3d241cca..873bc1c26 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,10 +10,14 @@ RUN pip install --upgrade pip WORKDIR /local COPY . /local -ENV PYTHONPATH=/local -ENV PATH=$PATH:/root/.local/bin +RUN python -m venv /opt/venv -RUN pip --no-cache-dir install --user . + +ENV PATH="/opt/venv/bin:$PATH" + +RUN apk add --no-cache build-base # Add build-base package +RUN pip --no-cache-dir install "." &&\ + pip --no-cache-dir install ".[cli]" # ----------------------------------- # @@ -21,6 +25,9 @@ RUN pip --no-cache-dir install --user . FROM python:${PYTHON_VER}-${IMG_OPTION} AS BASE +# Add a system user +RUN adduser --system anta + # Opencontainer labels # Labels version and revision will be updating # during the CI with accurate information @@ -40,7 +47,12 @@ LABEL "org.opencontainers.image.title"="anta" \ "org.opencontainers.image.revision"="dev" \ "org.opencontainers.image.version"="dev" -COPY --from=BUILDER /root/.local/ /root/.local -ENV PATH=$PATH:/root/.local/bin +# Copy artifacts from builder +COPY --from=BUILDER /opt/venv /opt/venv + +# Define PATH and default user +ENV PATH="/opt/venv/bin:$PATH" + +USER anta -ENTRYPOINT [ "/root/.local/bin/anta" ] +ENTRYPOINT [ "/opt/venv/bin/anta" ]