Run Docker container as user 1000 (#1975)

Previously, mega-linter-runner ran the MegaLinter Docker image as root.
In the Docker image, chown the /megalinter, /megalinter-descriptors, and
/action/lib/.automation directories to be owned by user and group 1000.
Users whose files became owned by root as a consequence of having run a
previous version of MegaLinter will need to chown them to be owned by
user 1000 when upgrading MegaLinter.

Author: Kurt-von-Laven

.automation/build.py

@@ -251,8 +251,9 @@ def generate_flavor(flavor, flavor_info):
             file.write(action_yml)
             logging.info(f"Updated {flavor_action_yml}")
     extra_lines = [
-        "COPY entrypoint.sh /entrypoint.sh",
+        "COPY --chown=1000:1000 entrypoint.sh /entrypoint.sh",
         "RUN chmod +x entrypoint.sh",
+        "USER 1000",
         'ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]',
     ]
     build_dockerfile(

CHANGELOG.md

@@ -22,6 +22,8 @@ Note: Can be used with `oxsecurity/megalinter@beta` in your GitHub Action mega-l
   - Upgrade create-pull-request and create-or-update-comment GitHub Actions
   - Increase auto-update-linters GitHub Action timeout
   - Upgrade base Docker image to python:3.11.3-alpine3.17
+  - Make Docker image rootless, and run it as user 1000 rather than root by
+    @Kurt-von-Laven in [#1975](https://github.com/oxsecurity/megalinter/issues/1975).
 
 - Documentation
 

Dockerfile

@@ -668,7 +668,7 @@ ENV KICS_QUERIES_PATH=/opt/kics/assets/queries KICS_LIBRARIES_PATH=/opt/kics/ass
 ################################
 # Installs python dependencies #
 ################################
-COPY megalinter /megalinter
+COPY --chown=1000:1000 megalinter /megalinter
 RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
     && PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
     && rm -rf /var/cache/apk/* \
@@ -677,8 +677,8 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
 #######################################
 # Copy scripts and rules to container #
 #######################################
-COPY megalinter/descriptors /megalinter-descriptors
-COPY TEMPLATES /action/lib/.automation
+COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
+COPY --chown=1000:1000 TEMPLATES /action/lib/.automation
 
 ###########################
 # Get the build arguments #
@@ -717,7 +717,8 @@ LABEL com.github.actions.name="MegaLinter" \
       org.opencontainers.image.description="Lint your code base with GitHub Actions"
 
 #EXTRA_DOCKERFILE_LINES__START
-COPY entrypoint.sh /entrypoint.sh
+COPY --chown=1000:1000 entrypoint.sh /entrypoint.sh
 RUN chmod +x entrypoint.sh
+USER 1000
 ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
 #EXTRA_DOCKERFILE_LINES__END

flavors/ci_light/Dockerfile

@@ -209,7 +209,7 @@ RUN wget -q -O - https://raw.githubusercontent.com/dotenv-linter/dotenv-linter/m
 ################################
 # Installs python dependencies #
 ################################
-COPY megalinter /megalinter
+COPY --chown=1000:1000 megalinter /megalinter
 RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
     && PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
     && rm -rf /var/cache/apk/* \
@@ -218,8 +218,8 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
 #######################################
 # Copy scripts and rules to container #
 #######################################
-COPY megalinter/descriptors /megalinter-descriptors
-COPY TEMPLATES /action/lib/.automation
+COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
+COPY --chown=1000:1000 TEMPLATES /action/lib/.automation
 
 ###########################
 # Get the build arguments #
@@ -258,7 +258,8 @@ LABEL com.github.actions.name="MegaLinter" \
       org.opencontainers.image.description="Lint your code base with GitHub Actions"
 
 #EXTRA_DOCKERFILE_LINES__START
-COPY entrypoint.sh /entrypoint.sh
+COPY --chown=1000:1000 entrypoint.sh /entrypoint.sh
 RUN chmod +x entrypoint.sh
+USER 1000
 ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
 #EXTRA_DOCKERFILE_LINES__END

flavors/cupcake/Dockerfile

@@ -450,7 +450,7 @@ ENV KICS_QUERIES_PATH=/opt/kics/assets/queries KICS_LIBRARIES_PATH=/opt/kics/ass
 ################################
 # Installs python dependencies #
 ################################
-COPY megalinter /megalinter
+COPY --chown=1000:1000 megalinter /megalinter
 RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
     && PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
     && rm -rf /var/cache/apk/* \
@@ -459,8 +459,8 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
 #######################################
 # Copy scripts and rules to container #
 #######################################
-COPY megalinter/descriptors /megalinter-descriptors
-COPY TEMPLATES /action/lib/.automation
+COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
+COPY --chown=1000:1000 TEMPLATES /action/lib/.automation
 
 ###########################
 # Get the build arguments #
@@ -499,7 +499,8 @@ LABEL com.github.actions.name="MegaLinter" \
       org.opencontainers.image.description="Lint your code base with GitHub Actions"
 
 #EXTRA_DOCKERFILE_LINES__START
-COPY entrypoint.sh /entrypoint.sh
+COPY --chown=1000:1000 entrypoint.sh /entrypoint.sh
 RUN chmod +x entrypoint.sh
+USER 1000
 ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
 #EXTRA_DOCKERFILE_LINES__END

flavors/documentation/Dockerfile

@@ -296,7 +296,7 @@ RUN printf '#!/bin/bash \n\nif [[ -x "$1" ]]; then exit 0; else echo "Error: Fil
 ################################
 # Installs python dependencies #
 ################################
-COPY megalinter /megalinter
+COPY --chown=1000:1000 megalinter /megalinter
 RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
     && PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
     && rm -rf /var/cache/apk/* \
@@ -305,8 +305,8 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
 #######################################
 # Copy scripts and rules to container #
 #######################################
-COPY megalinter/descriptors /megalinter-descriptors
-COPY TEMPLATES /action/lib/.automation
+COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
+COPY --chown=1000:1000 TEMPLATES /action/lib/.automation
 
 ###########################
 # Get the build arguments #
@@ -345,7 +345,8 @@ LABEL com.github.actions.name="MegaLinter" \
       org.opencontainers.image.description="Lint your code base with GitHub Actions"
 
 #EXTRA_DOCKERFILE_LINES__START
-COPY entrypoint.sh /entrypoint.sh
+COPY --chown=1000:1000 entrypoint.sh /entrypoint.sh
 RUN chmod +x entrypoint.sh
+USER 1000
 ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
 #EXTRA_DOCKERFILE_LINES__END

flavors/dotnet/Dockerfile

@@ -391,7 +391,7 @@ RUN curl --retry 5 --retry-delay 5 -sLO "${ARM_TTK_URI}" \
 ################################
 # Installs python dependencies #
 ################################
-COPY megalinter /megalinter
+COPY --chown=1000:1000 megalinter /megalinter
 RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
     && PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
     && rm -rf /var/cache/apk/* \
@@ -400,8 +400,8 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
 #######################################
 # Copy scripts and rules to container #
 #######################################
-COPY megalinter/descriptors /megalinter-descriptors
-COPY TEMPLATES /action/lib/.automation
+COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
+COPY --chown=1000:1000 TEMPLATES /action/lib/.automation
 
 ###########################
 # Get the build arguments #
@@ -440,7 +440,8 @@ LABEL com.github.actions.name="MegaLinter" \
       org.opencontainers.image.description="Lint your code base with GitHub Actions"
 
 #EXTRA_DOCKERFILE_LINES__START
-COPY entrypoint.sh /entrypoint.sh
+COPY --chown=1000:1000 entrypoint.sh /entrypoint.sh
 RUN chmod +x entrypoint.sh
+USER 1000
 ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
 #EXTRA_DOCKERFILE_LINES__END

flavors/go/Dockerfile

@@ -311,7 +311,7 @@ RUN printf '#!/bin/bash \n\nif [[ -x "$1" ]]; then exit 0; else echo "Error: Fil
 ################################
 # Installs python dependencies #
 ################################
-COPY megalinter /megalinter
+COPY --chown=1000:1000 megalinter /megalinter
 RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
     && PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
     && rm -rf /var/cache/apk/* \
@@ -320,8 +320,8 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
 #######################################
 # Copy scripts and rules to container #
 #######################################
-COPY megalinter/descriptors /megalinter-descriptors
-COPY TEMPLATES /action/lib/.automation
+COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
+COPY --chown=1000:1000 TEMPLATES /action/lib/.automation
 
 ###########################
 # Get the build arguments #
@@ -360,7 +360,8 @@ LABEL com.github.actions.name="MegaLinter" \
       org.opencontainers.image.description="Lint your code base with GitHub Actions"
 
 #EXTRA_DOCKERFILE_LINES__START
-COPY entrypoint.sh /entrypoint.sh
+COPY --chown=1000:1000 entrypoint.sh /entrypoint.sh
 RUN chmod +x entrypoint.sh
+USER 1000
 ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
 #EXTRA_DOCKERFILE_LINES__END

flavors/java/Dockerfile

@@ -324,7 +324,7 @@ RUN wget --quiet https://github.com/pmd/pmd/releases/download/pmd_releases%2F${P
 ################################
 # Installs python dependencies #
 ################################
-COPY megalinter /megalinter
+COPY --chown=1000:1000 megalinter /megalinter
 RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
     && PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
     && rm -rf /var/cache/apk/* \
@@ -333,8 +333,8 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
 #######################################
 # Copy scripts and rules to container #
 #######################################
-COPY megalinter/descriptors /megalinter-descriptors
-COPY TEMPLATES /action/lib/.automation
+COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
+COPY --chown=1000:1000 TEMPLATES /action/lib/.automation
 
 ###########################
 # Get the build arguments #
@@ -373,7 +373,8 @@ LABEL com.github.actions.name="MegaLinter" \
       org.opencontainers.image.description="Lint your code base with GitHub Actions"
 
 #EXTRA_DOCKERFILE_LINES__START
-COPY entrypoint.sh /entrypoint.sh
+COPY --chown=1000:1000 entrypoint.sh /entrypoint.sh
 RUN chmod +x entrypoint.sh
+USER 1000
 ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
 #EXTRA_DOCKERFILE_LINES__END

flavors/javascript/Dockerfile

@@ -312,7 +312,7 @@ RUN printf '#!/bin/bash \n\nif [[ -x "$1" ]]; then exit 0; else echo "Error: Fil
 ################################
 # Installs python dependencies #
 ################################
-COPY megalinter /megalinter
+COPY --chown=1000:1000 megalinter /megalinter
 RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
     && PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
     && rm -rf /var/cache/apk/* \
@@ -321,8 +321,8 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
 #######################################
 # Copy scripts and rules to container #
 #######################################
-COPY megalinter/descriptors /megalinter-descriptors
-COPY TEMPLATES /action/lib/.automation
+COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
+COPY --chown=1000:1000 TEMPLATES /action/lib/.automation
 
 ###########################
 # Get the build arguments #
@@ -361,7 +361,8 @@ LABEL com.github.actions.name="MegaLinter" \
       org.opencontainers.image.description="Lint your code base with GitHub Actions"
 
 #EXTRA_DOCKERFILE_LINES__START
-COPY entrypoint.sh /entrypoint.sh
+COPY --chown=1000:1000 entrypoint.sh /entrypoint.sh
 RUN chmod +x entrypoint.sh
+USER 1000
 ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
 #EXTRA_DOCKERFILE_LINES__END

flavors/php/Dockerfile

@@ -340,7 +340,7 @@ RUN composer global require --ignore-platform-reqs overtrue/phplint ^5.3 \
 ################################
 # Installs python dependencies #
 ################################
-COPY megalinter /megalinter
+COPY --chown=1000:1000 megalinter /megalinter
 RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
     && PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
     && rm -rf /var/cache/apk/* \
@@ -349,8 +349,8 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
 #######################################
 # Copy scripts and rules to container #
 #######################################
-COPY megalinter/descriptors /megalinter-descriptors
-COPY TEMPLATES /action/lib/.automation
+COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
+COPY --chown=1000:1000 TEMPLATES /action/lib/.automation
 
 ###########################
 # Get the build arguments #
@@ -389,7 +389,8 @@ LABEL com.github.actions.name="MegaLinter" \
       org.opencontainers.image.description="Lint your code base with GitHub Actions"
 
 #EXTRA_DOCKERFILE_LINES__START
-COPY entrypoint.sh /entrypoint.sh
+COPY --chown=1000:1000 entrypoint.sh /entrypoint.sh
 RUN chmod +x entrypoint.sh
+USER 1000
 ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
 #EXTRA_DOCKERFILE_LINES__END

flavors/python/Dockerfile

@@ -307,7 +307,7 @@ RUN printf '#!/bin/bash \n\nif [[ -x "$1" ]]; then exit 0; else echo "Error: Fil
 ################################
 # Installs python dependencies #
 ################################
-COPY megalinter /megalinter
+COPY --chown=1000:1000 megalinter /megalinter
 RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
     && PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
     && rm -rf /var/cache/apk/* \
@@ -316,8 +316,8 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
 #######################################
 # Copy scripts and rules to container #
 #######################################
-COPY megalinter/descriptors /megalinter-descriptors
-COPY TEMPLATES /action/lib/.automation
+COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
+COPY --chown=1000:1000 TEMPLATES /action/lib/.automation
 
 ###########################
 # Get the build arguments #
@@ -356,7 +356,8 @@ LABEL com.github.actions.name="MegaLinter" \
       org.opencontainers.image.description="Lint your code base with GitHub Actions"
 
 #EXTRA_DOCKERFILE_LINES__START
-COPY entrypoint.sh /entrypoint.sh
+COPY --chown=1000:1000 entrypoint.sh /entrypoint.sh
 RUN chmod +x entrypoint.sh
+USER 1000
 ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
 #EXTRA_DOCKERFILE_LINES__END

flavors/ruby/Dockerfile

@@ -297,7 +297,7 @@ RUN printf '#!/bin/bash \n\nif [[ -x "$1" ]]; then exit 0; else echo "Error: Fil
 ################################
 # Installs python dependencies #
 ################################
-COPY megalinter /megalinter
+COPY --chown=1000:1000 megalinter /megalinter
 RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
     && PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
     && rm -rf /var/cache/apk/* \
@@ -306,8 +306,8 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
 #######################################
 # Copy scripts and rules to container #
 #######################################
-COPY megalinter/descriptors /megalinter-descriptors
-COPY TEMPLATES /action/lib/.automation
+COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
+COPY --chown=1000:1000 TEMPLATES /action/lib/.automation
 
 ###########################
 # Get the build arguments #
@@ -346,7 +346,8 @@ LABEL com.github.actions.name="MegaLinter" \
       org.opencontainers.image.description="Lint your code base with GitHub Actions"
 
 #EXTRA_DOCKERFILE_LINES__START
-COPY entrypoint.sh /entrypoint.sh
+COPY --chown=1000:1000 entrypoint.sh /entrypoint.sh
 RUN chmod +x entrypoint.sh
+USER 1000
 ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
 #EXTRA_DOCKERFILE_LINES__END

flavors/rust/Dockerfile

@@ -291,7 +291,7 @@ RUN printf '#!/bin/bash \n\nif [[ -x "$1" ]]; then exit 0; else echo "Error: Fil
 ################################
 # Installs python dependencies #
 ################################
-COPY megalinter /megalinter
+COPY --chown=1000:1000 megalinter /megalinter
 RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
     && PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \
     && rm -rf /var/cache/apk/* \
@@ -300,8 +300,8 @@ RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \
 #######################################
 # Copy scripts and rules to container #
 #######################################
-COPY megalinter/descriptors /megalinter-descriptors
-COPY TEMPLATES /action/lib/.automation
+COPY --chown=1000:1000 megalinter/descriptors /megalinter-descriptors
+COPY --chown=1000:1000 TEMPLATES /action/lib/.automation
 
 ###########################
 # Get the build arguments #
@@ -340,7 +340,8 @@ LABEL com.github.actions.name="MegaLinter" \
       org.opencontainers.image.description="Lint your code base with GitHub Actions"
 
 #EXTRA_DOCKERFILE_LINES__START
-COPY entrypoint.sh /entrypoint.sh
+COPY --chown=1000:1000 entrypoint.sh /entrypoint.sh
 RUN chmod +x entrypoint.sh
+USER 1000
 ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
 #EXTRA_DOCKERFILE_LINES__END