Using the gosu tool results in too many complaints about vulnerabilities, because we also have to include go in the image.
By replacing gosu with su-exec we don't need to include go, and so theoretically it should not have those CVEs.
Since su-exec isn't provided as a pre-built binary anywhere reliable, I had to update the Dockerfiles to be multi-stage builds. I don't know if this violates the rules of docker official images. I couldn't see anything mentioning multi-stage builds specifically, but it does risk forcing us to revert this change later.
Using the
gosutool results in too many complaints about vulnerabilities, because we also have to includegoin the image. By replacinggosuwithsu-execwe don't need to includego, and so theoretically it should not have those CVEs.Since
su-execisn't provided as a pre-built binary anywhere reliable, I had to update the Dockerfiles to be multi-stage builds. I don't know if this violates the rules of docker official images. I couldn't see anything mentioning multi-stage builds specifically, but it does risk forcing us to revert this change later.