fix: run Docker container as non-root user (closes #34)
- Switch to gcr.io/distroless/cc-debian12:nonroot - Add explicit USER 65534:65534 directive - Add Docker security CI job verifying non-root UID, :nonroot base, and USER directive - Document CIS Docker Benchmark compliance in SECURITY.md - Add tests and edge cases for container security
This commit is contained in:
argenis de la rosa
parent
cc08f4bfff
commit
76074cb789
14 changed files with 2270 additions and 168 deletions
|
|
@ -8,14 +8,17 @@ COPY src/ src/
|
|||
RUN cargo build --release --locked && \
|
||||
strip target/release/zeroclaw
|
||||
|
||||
# ── Stage 2: Runtime (distroless — no shell, no OS, tiny) ────
|
||||
FROM gcr.io/distroless/cc-debian12
|
||||
# ── Stage 2: Runtime (distroless nonroot — no shell, no OS, tiny, UID 65534) ──
|
||||
FROM gcr.io/distroless/cc-debian12:nonroot
|
||||
|
||||
COPY --from=builder /app/target/release/zeroclaw /usr/local/bin/zeroclaw
|
||||
|
||||
# Default workspace
|
||||
# Default workspace (owned by nonroot user)
|
||||
VOLUME ["/workspace"]
|
||||
ENV ZEROCLAW_WORKSPACE=/workspace
|
||||
|
||||
# Explicitly set non-root user (distroless:nonroot defaults to 65534, but be explicit)
|
||||
USER 65534:65534
|
||||
|
||||
ENTRYPOINT ["zeroclaw"]
|
||||
CMD ["gateway"]
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue