In follow up to #2 - I have a further improvement on disallowed root
It is perfectly acceptable to use USER root in some places in a Dockerfile, such as in a multi-stage build, or before running some commands which require root, as long as there is another USER directive after it to have the container's app itself run as non-root.
The current code fails on this incorrectly.
To work around it, we create a new array of all of the user directives specified in the Dockerfile by using an array comprehension, and then we verify that the last user in the array is not in the forbidden users list.
gbrindisi
commented
2 years ago
In follow up to #2 - I have a further improvement on disallowed root
It is perfectly acceptable to use
USER rootin some places in a Dockerfile, such as in a multi-stage build, or before running some commands which require root, as long as there is anotherUSERdirective after it to have the container's app itself run as non-root.The current code fails on this incorrectly.
To work around it, we create a new array of all of the user directives specified in the Dockerfile by using an array comprehension, and then we verify that the last user in the array is not in the forbidden users list.
Signed-off-by: Thomas Spear tspear@conquestcyber.com