search

eclipse-tractusx / sig-infra

Apache License 2.0
2 stars 2 forks source link

Support: Quality check for docker image is failing because of root user #353

Open ds-psosnowski opened 8 months ago

ds-psosnowski commented 8 months ago

Is your support request related to a problem? Please describe.
One of our quality check is failing - Failed! Guideline description: Container images shall not run as root for security reasons. We are not sure if this is not caused by defining user from env variables: USER ${UID}:${GID} Or maybe because we didn't specify user for build image.

Describe the solution you'd like
If this is caused by using env variables then check shouldn't fail.

Additional context
Dockerfile for verification: https://github.com/catenax-ng/tx-item-relationship-service/blob/main/Dockerfile

FaGru3n commented 8 months ago

Hi @ds-psosnowski

i guess you mean this workflow https://github.com/catenax-ng/tx-item-relationship-service/actions/workflows/quality-checks.yaml

  1. Testing Quality Guideline: TRG 4.03 - Non-root container Start finding Dockerfiles at ./ Found Dockerfiles: Dockerfile Failed! Guideline description: Container images shall not run as root for security reasons. Invalid user specified in Dockerfile: Dockerfile More infos: https://eclipse-tractusx.github.io/docs/release/trg-4/trg-4-03

will check with our team.

ds-psosnowski commented 8 months ago

Hey, yes exactly this. Thanks for information.

FaGru3n commented 8 months ago

Hi @ds-psosnowski this is currently a problem we get aware also from https://github.com/catenax-ng/tx-traceability-foss/blob/main/Dockerfile

that was referenced in in #341 and we opened a issue against helm https://github.com/helm/helm/issues/12385 itself.

but thinking also about rewriting our checks for that.

ds-psosnowski commented 8 months ago

@FaGru3n Allright, so we're waiting for fix. It is not blocking us but quality check is failing. Thanks for sharing and have a nice day.

tomaszbarwicki commented 5 months ago

@ds-psosnowski , @FaGru3n I think there is a little disconnect here, the issue reported isn't related to the helm one (https://github.com/helm/helm/issues/12385) but to our implementation of the non root user check which is unable to resolve the variable references ${UID}:${GID} in USER, see the comment from @SebastianBezold https://github.com/eclipse-tractusx/sig-infra/issues/341#issuecomment-1801647691 .

hzierer commented 3 months ago

moved to our backlog, to plan it properly