feat: run as non-root user

pkarolyi · May 3, 2024 · c4e6438 · c4e6438
1 parent b0b41fd
commit c4e6438
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -20,18 +20,24 @@ RUN pnpm build
 
 FROM base AS runner
 
+# https://github.com/nodejs/docker-node/blob/main/docs/BestPractices.md#non-root-user
+RUN deluser --remove-home node && addgroup -S node -g 1000 && adduser -S -G node -u 1000 node
+
 # https://github.com/nodejs/docker-node/blob/main/docs/BestPractices.md#handling-kernel-signals
 RUN apk --no-cache add tini
 
 WORKDIR /garden-snail
 
-COPY package.json pnpm-lock.yaml ./
+RUN chown -R node:node .
+COPY --chown=node:node package.json pnpm-lock.yaml ./
 
 # with NODE_ENV=production pnpm will not install devDependencies 
 ENV NODE_ENV=production
 RUN pnpm install --frozen-lockfile
 
-COPY --from=builder /garden-snail/dist ./dist
+COPY --from=builder --chown=node:node /garden-snail/dist ./dist
+
+USER node
 
 EXPOSE 3000
 ENTRYPOINT ["/sbin/tini", "node", "dist/main"]