Closed krancour closed 2 years ago
netlify[bot]
commented
2 years ago ✔️ Deploy Preview for brigade-docs ready!
🔨 Explore the source changes: 622d6b089cab0ef1ed5924a1268a4a599241446c
🔍 Inspect the deploy log: https://app.netlify.com/sites/brigade-docs/deploys/6230a120ed697500086d96d1
😎 Browse the preview: https://deploy-preview-1871--brigade-docs.netlify.app
carolynvs
commented
2 years ago What CVE's did it find on scratch? 🤔
krancour
commented
2 years ago @carolynvs didn't find any CVEs on scratch, but after researching more, I believe that without additional effort, processes running in a container based on scratch are still running as root. To fix that, it seems the right thing to do is to create a nonroot group and user in the first stage of your build, copy /etc/passwd to the final stage, and then use the USER <whoever> directive. We could do all of that ourselves, but the gcr.io/distroless/static:nonroot does most of that legwork for us. (I think we still have to say USER nonroot:nonroot in the final stage.)
carolynvs
commented
2 years ago Another way to run an image as a nonroot user would be to use docker run -u1001. You're right that by default images run as root.root. This is a nicer fix because it doesn't require people to remember to do that though.
krancour
commented
2 years ago (I think we still have to say USER nonroot:nonroot in the final stage.)
I have now verified through experimentation that you do not need to do that. It's already done for you.
krancour
commented
2 years ago /brig run
See #1864
When scanned, alpine-based images produce more favorable results than debian-based images.
Using
gcr.io/distroless/static:nonrootas a base image, surprisingly, is also regarded as safer than usingscratchas a base image. (It runs as a non-root user without requiring us to do all the legwork.)