Skip to content

Harden Container Runtime with Non-Root User #3941

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 18 commits into from
Jun 5, 2025
Merged

Harden Container Runtime with Non-Root User #3941

merged 18 commits into from
Jun 5, 2025

Conversation

MikeTheCyberGuy
Copy link
Contributor

@MikeTheCyberGuy MikeTheCyberGuy commented May 28, 2025
edited by wagoodman
Loading

This PR makes the following changes:

  • uses gcr.io/distroless/static-debian12 as the base image
  • ensures the built containers are non-root users

In the process of working on this additional docker manifest updates were made:

  • image_templates section was missing from the debug variant
  • the top-level images should be the manifests and the tagged images should always be architecture specific (according to best practices)

Changes

  • Bug fix (non-breaking change which fixes an issue)

Checklist

  • I have added unit tests that cover changed behavior
  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

@MikeTheCyberGuy
Update Dockerfile
15becaa 
Signed-off-by: Michael Briley <[email protected]>
@MikeTheCyberGuy
Update Dockerfile
7dc7396 
Signed-off-by: Michael Briley <[email protected]>
@MikeTheCyberGuy
Update validations.yaml
3e04cc7 
Signed-off-by: Michael Briley <[email protected]>
@MikeTheCyberGuy
Update validations.yaml
3351f09 
Signed-off-by: Michael Briley <[email protected]>
@MikeTheCyberGuy
Update Dockerfile
027e75a 
Signed-off-by: Michael Briley <[email protected]>
@MikeTheCyberGuy
Update validations.yaml
4a2b5a7 
Signed-off-by: Michael Briley <[email protected]>
@MikeTheCyberGuy
Merge branch 'anchore:main' into main
73b5b48
@MikeTheCyberGuy
Update Dockerfile
605f8ac 
Signed-off-by: Michael Briley <[email protected]>
@spiffcs
Copy link
Contributor

spiffcs commented Jun 2, 2025

Running the checks on this now -- thank you for taking the time to improve the security posture of our images!
@anchore/tools do we want to offer these as new separate images or is worth the cost of breaking user pipelines here?

We might have to ensure file permissions are compatible here and set the user before the copy:
RUN chown -R nonroot:nonroot /tmp /syft /other-paths checking this now.

@wagoodman wagoodman added the bug Something isn't working label Jun 3, 2025
wagoodman
wagoodman reviewed Jun 3, 2025
View reviewed changes
@MikeTheCyberGuy
Update .goreleaser.yaml
de63f9d 
Signed-off-by: Michael Briley <[email protected]>
@MikeTheCyberGuy
Update .goreleaser.yaml
8a19fa1 
Signed-off-by: Michael Briley <[email protected]>
wagoodman
wagoodman reviewed Jun 5, 2025
View reviewed changes
@wagoodman wagoodman mentioned this pull request Jun 5, 2025
Closed
9 tasks
@wagoodman
Copy link
Contributor

I refactored this to use the gcr.io/distroless/static-debian12 images directly, so QEMU is not needed (which is much simpler). The difference is that we're using the nonroot tags which should deal with the core issue more simply than needing our own security context stage.

@wagoodman wagoodman changed the title Enable Multi-Arch Builds and Harden Container Runtime with Non-Root User Harden Container Runtime with Non-Root User Jun 5, 2025
wagoodman added 2 commits June 5, 2025 11:39
@wagoodman
fix arch condition
4593fd8 
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman
keep path prefix
a71c8a0 
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman wagoodman merged commit 868a6a7 into anchore:main Jun 5, 2025
12 checks passed
@wagoodman wagoodman mentioned this pull request Jun 6, 2025
Merged
4 tasks
@BrewTestBot BrewTestBot mentioned this pull request Jun 9, 2025
Merged
spiffcs added a commit that referenced this pull request Jun 9, 2025
@spiffcs
Merge branch 'main' into go-source
c57e191 
* main: (31 commits)
  remove benchmark utils (#3982)
  fix: exclude packages with SPDX GENERATED_FROM source package indication (#3981)
  chore(deps): bump modernc.org/sqlite from 1.37.1 to 1.38.0 (#3979)
  chore(deps): bump github.com/go-git/go-git/v5 from 5.16.1 to 5.16.2 (#3978)
  chore(deps): update tools to latest versions (#3977)
  chore(deps): update CPE dictionary index (#3976)
  chore(deps): bump golang.org/x/net from 0.40.0 to 0.41.0 (#3970)
  chore(deps): bump github.com/sergi/go-diff (#3971)
  Fix Python package dependency detection (#3965)
  fix: Remove three Rust crate false positive CPE matches (#3967)
  Harden Container Runtime with Non-Root User (#3941)
  fix: Remove two Rust crate false positive CPE matches (#3962)
  chore(deps): bump golang.org/x/mod from 0.24.0 to 0.25.0 (#3963)
  chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.12 to 0.5.13 (#3964)
  fix: bump stereoscope to fix symlink performance issue (#3953)
  chore(deps): bump github.com/go-git/go-git/v5 from 5.16.0 to 5.16.1 (#3960)
  chore(deps): bump github/codeql-action from 3.28.18 to 3.28.19 (#3952)
  feat: add syft schema version to version command (#3949)
  chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.11 to 0.5.12 (#3943)
  chore(deps): update tools to latest versions (#3945)
  ...

Signed-off-by: Christopher Phillips <[email protected]>
@kzantow
Copy link
Contributor

kzantow commented Jun 12, 2025

Hi @MikeTheCyberGuy 👋 -- due to a number of users having permission issues that were not obvious to workaround, we've reverted the nonroot-by-default (in latest tags), so the latest images are back to using root by default, however we've introduced a "nonroot" tag for users who want to run the nonroot variant; that is to say you will probably want to use anchore/syft:nonroot (and similar for Grype) for your purposes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@MikeTheCyberGuy @spiffcs @wagoodman @kzantow