Skip to content

Run the Linux TestHosts container as a non-root user#138

Merged
StuartFerguson merged 4 commits intomasterfrom
copilot/fix-dockerfile-user-security-issue
Mar 16, 2026
Merged

Run the Linux TestHosts container as a non-root user#138
StuartFerguson merged 4 commits intomasterfrom
copilot/fix-dockerfile-user-security-issue

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 16, 2026
edited
Loading

The Linux runtime image did not declare a USER, so TestHosts.dll could start as root in the final container stage. This change makes the runtime image explicitly non-root and ensures the published app files are owned by that runtime identity.

  • Container hardening

    • Set the final image to run as numeric non-root user/group 10001:10001
    • Assign ownership of published app artifacts to the same non-root identity during the final-stage copy

  • Runtime-stage only change

    • Leaves the build/publish stages unchanged
    • Limits the change to the Linux Dockerfile path flagged by the security report

  • Result

    • The container entrypoint now executes without inheriting root privileges from the image default
FROM base AS final
WORKDIR /app
COPY --from=publish --chown=10001:10001 /app/publish .
USER 10001:10001
ENTRYPOINT ["dotnet", "TestHosts.dll"]

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • f.feedz.io
    • Triggering command: /usr/bin/dotnet dotnet build TestHosts.sln --configuration Release (dns block)
    • Triggering command: /usr/bin/dotnet dotnet restore TestHosts/TestHosts.csproj (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>[Security] By not specifying a USER, a program in the container may run as 'root'. This is a security hazard.</issue_title>
<issue_description>

Codacy ID: bd1fb729f0cacc1888a3ac597606cd56

File: TestHosts/TestHosts/Dockerfile
Line: 19
Rule: Security (High)
Commit: f534542b2347eea5c6049776f9da8c4896721d57

Message: By not specifying a USER, a program in the container may run as 'root'. This is a security hazard.

**Code Snippet:**
```csharp
ENTRYPOINT ["dotnet", "TestHosts.dll"] 
```

</issue_description>

Comments on the Issue (you are @copilot in this section)

💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.

Copilot AI changed the title [WIP] [Security] Fix Dockerfile to specify a USER for security Run the Linux TestHosts container as a non-root user Mar 16, 2026
Copilot AI requested a review from StuartFerguson March 16, 2026 14:12
@StuartFerguson StuartFerguson marked this pull request as ready for review March 16, 2026 14:25
@StuartFerguson StuartFerguson merged commit 868d456 into master Mar 16, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@StuartFerguson StuartFerguson Awaiting requested review from StuartFerguson

Assignees

@StuartFerguson StuartFerguson

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security] By not specifying a USER, a program in the container may run as 'root'. This is a security hazard.

2 participants

@StuartFerguson