Closed krancour closed 2 years ago
✔️ Deploy Preview for brigade-docs ready!
🔨 Explore the source changes: 622d6b089cab0ef1ed5924a1268a4a599241446c
🔍 Inspect the deploy log: https://app.netlify.com/sites/brigade-docs/deploys/6230a120ed697500086d96d1
😎 Browse the preview: https://deploy-preview-1871--brigade-docs.netlify.app
What CVE's did it find on scratch? 🤔
@carolynvs didn't find any CVEs on scratch, but after researching more, I believe that without additional effort, processes running in a container based on scratch are still running as root. To fix that, it seems the right thing to do is to create a nonroot group and user in the first stage of your build, copy /etc/passwd
to the final stage, and then use the USER <whoever>
directive. We could do all of that ourselves, but the gcr.io/distroless/static:nonroot
does most of that legwork for us. (I think we still have to say USER nonroot:nonroot
in the final stage.)
Another way to run an image as a nonroot user would be to use docker run -u1001
. You're right that by default images run as root.root. This is a nicer fix because it doesn't require people to remember to do that though.
(I think we still have to say USER nonroot:nonroot in the final stage.)
I have now verified through experimentation that you do not need to do that. It's already done for you.
/brig run
See #1864
When scanned, alpine-based images produce more favorable results than debian-based images.
Using
gcr.io/distroless/static:nonroot
as a base image, surprisingly, is also regarded as safer than usingscratch
as a base image. (It runs as a non-root user without requiring us to do all the legwork.)