Skip to content

Commit

Permalink
Make image rootless, and run it rootless (#1975)
Browse files Browse the repository at this point in the history
Create megalinter user and group in Docker image, both with ID 1000, and
activate this user after dependencies have been installed. Run Docker
container as current user via mega-linter-runner. The change to
mega-linter-runner only affects POSIX platforms, because process.getuid
and process.getgid are only available there. Previously,
mega-linter-runner ran the MegaLinter Docker image as root. Users whose
files became owned by root as a consequence of this behavior will need
to chown them to be owned by the appropriate user when upgrading
MegaLinter.
  • Loading branch information
Kurt-von-Laven committed Apr 3, 2023
1 parent 4f4b2e8 commit 7062d36
Show file tree
Hide file tree
Showing 3 changed files with 33 additions and 20 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ Note: Can be used with `oxsecurity/megalinter@beta` in your GitHub Action mega-l

- Core
- Fix failure of AzureCommentReporter when there is no pull request found in ENV vars
- Make Docker image rootless, and run it as current user rather than root on
POSIX by @Kurt-von-Laven in [#1975](https://github.com/oxsecurity/megalinter/issues/1975).

- Documentation

Expand Down
47 changes: 27 additions & 20 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -634,39 +634,46 @@ RUN dotnet tool install --global Microsoft.CST.DevSkim.CLI --version 0.7.104 \
&& find ${ML_THIRD_PARTY_DIR} -type f -not -name 'LICENSE*' -delete -o -type d -empty -delete \
&& find /tmp -path '/tmp/tmp.*' -type f -name 'misspell*' -delete -o -type d -empty -delete \

# tsqllint installation
# Next line commented because already managed by another linter
# RUN wget --tries=5 -q -O dotnet-install.sh https://dot.net/v1/dotnet-install.sh \
# && chmod +x dotnet-install.sh \
# && ./dotnet-install.sh --install-dir /usr/share/dotnet -channel 6.0 -version latest
# Next line commented because already managed by another linter
# ENV PATH="${PATH}:/root/.dotnet/tools:/usr/share/dotnet"
# tsqllint installation
# Next line commented because already managed by another linter
# RUN wget --tries=5 -q -O dotnet-install.sh https://dot.net/v1/dotnet-install.sh \
# && chmod +x dotnet-install.sh \
# && ./dotnet-install.sh --install-dir /usr/share/dotnet -channel 6.0 -version latest
# Next line commented because already managed by another linter
# ENV PATH="${PATH}:/root/.dotnet/tools:/usr/share/dotnet"
&& dotnet tool install --global TSQLLint \

# tflint installation
# Managed with COPY --link --from=tflint /usr/local/bin/tflint /usr/bin/
# tflint installation
# Managed with COPY --link --from=tflint /usr/local/bin/tflint /usr/bin/

# terrascan installation
# Managed with COPY --link --from=terrascan /go/bin/terrascan /usr/bin/
# terrascan installation
# Managed with COPY --link --from=terrascan /go/bin/terrascan /usr/bin/

# terragrunt installation
# Managed with COPY --link --from=terragrunt /usr/local/bin/terragrunt /usr/bin/
# terragrunt installation
# Managed with COPY --link --from=terragrunt /usr/local/bin/terragrunt /usr/bin/

# terraform-fmt installation
# Managed with COPY --link --from=terragrunt /bin/terraform /usr/bin/
# terraform-fmt installation
# Managed with COPY --link --from=terragrunt /bin/terraform /usr/bin/

# kics installation
# Managed with COPY --link --from=kics /app/bin/kics /usr/bin/
# kics installation
# Managed with COPY --link --from=kics /app/bin/kics /usr/bin/
&& mkdir -p /opt/kics/assets
ENV KICS_QUERIES_PATH=/opt/kics/assets/queries KICS_LIBRARIES_PATH=/opt/kics/assets/libraries
# Managed with COPY --from=kics /app/bin/assets /opt/kics/assets/

#OTHER__END

#######################################
# Create and activate megalinter user #
#######################################
RUN groupadd --gid 1000 megalinter \
&& adduser --uid 1000 megalinter
USER megalinter

################################
# Installs python dependencies #
################################
COPY megalinter /megalinter
COPY --chown=megalinter:megalinter megalinter /megalinter
RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
&& PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
&& rm -rf /var/cache/apk/* \
Expand All @@ -675,8 +682,8 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
#######################################
# Copy scripts and rules to container #
#######################################
COPY megalinter/descriptors /megalinter-descriptors
COPY TEMPLATES /action/lib/.automation
COPY --chown=megalinter:megalinter megalinter/descriptors /megalinter-descriptors
COPY --chown=megalinter:megalinter TEMPLATES /action/lib/.automation

###########################
# Get the build arguments #
Expand Down
4 changes: 4 additions & 0 deletions mega-linter-runner/lib/runner.js
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ const optionsDefinition = require("./options");
const { spawnSync } = require("child_process");
const c = require("chalk");
const path = require("path");
const { getgid, getuid } = require("process");
const which = require("which");
const fs = require("fs-extra");
const { MegaLinterUpgrader } = require("./upgrade");
Expand Down Expand Up @@ -132,6 +133,9 @@ ERROR: Docker engine has not been found on your system.
if (options["containerName"]) {
commandArgs.push(...["--name", options["containerName"]]);
}
if (getuid && getgid) {
commandArgs.push(...["--user", `${getuid()}:${getgid()}`]);
}
commandArgs.push(...["-v", "/var/run/docker.sock:/var/run/docker.sock:rw"]);
commandArgs.push(...["-v", `${lintPath}:/tmp/lint:rw`]);
if (options.fix === true) {
Expand Down

0 comments on commit 7062d36

Please sign in to comment.