🐛(docker) build Docker images with an unprivileged user
This is a major issue. Docker Images were built and published with a root user in the CI. if a user manages to break out of the application running as root in the container, he may gain root user access on host. In addition, configuring container to user unprivileged is the best way yo prevent privilege escalation attacks. We mitigated this issue by creating a new environment variable DOCKER_USER. DOCKER_USER is set with id -u and id -g outputs. Then, it is passed as a build-args when running docker/build-push-action steps.
This commit is contained in:
Lebaud Antoine
committed by
aleb_the_flash
aleb_the_flash
parent
4579e668b6
commit
78459df962
5
.github/workflows/docker-hub.yml
vendored
5
.github/workflows/docker-hub.yml
vendored
@@ -11,6 +11,9 @@ on:
|
||||
branches:
|
||||
- 'main'
|
||||
|
||||
env:
|
||||
DOCKER_USER: 1001:127
|
||||
|
||||
jobs:
|
||||
build-and-push-backend:
|
||||
runs-on: ubuntu-latest
|
||||
@@ -40,6 +43,7 @@ jobs:
|
||||
with:
|
||||
context: .
|
||||
target: production
|
||||
build-args: DOCKER_USER=${{ env.DOCKER_USER }}:-1000
|
||||
push: ${{ github.event_name != 'pull_request' }}
|
||||
tags: ${{ steps.meta.outputs.tags }}
|
||||
labels: ${{ steps.meta.outputs.labels }}
|
||||
@@ -72,6 +76,7 @@ jobs:
|
||||
with:
|
||||
context: .
|
||||
target: frontend
|
||||
build-args: DOCKER_USER=${{ env.DOCKER_USER }}:-1000
|
||||
push: ${{ github.event_name != 'pull_request' }}
|
||||
tags: ${{ steps.meta.outputs.tags }}
|
||||
labels: ${{ steps.meta.outputs.labels }}
|
||||
|
||||
Reference in New Issue
Block a user