Skip to content

Run the API container as a non-root user#509

Merged
StuartFerguson merged 2 commits intomainfrom
copilot/fix-security-user-specification
Mar 16, 2026
Merged

Run the API container as a non-root user#509
StuartFerguson merged 2 commits intomainfrom
copilot/fix-security-user-specification

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 16, 2026
edited
Loading

Codacy flagged the Linux container image because the final stage did not declare a runtime user, allowing the application to run as root. This change hardens the final image by explicitly switching execution to an unprivileged UID/GID.

  • Runtime user hardening

    • adds an explicit USER 10001:10001 in the final image stage
    • ensures the application process does not start with root privileges by default

  • File ownership alignment

    • updates the publish-stage copy to assign ownership during transfer into the final image
    • avoids permission mismatches when the app starts under the non-root user

  • Result

    • the container retains the existing entrypoint and image flow
    • only the final runtime security posture changes
FROM base AS final
WORKDIR /app
COPY --from=publish --chown=10001:10001 /app/publish .
USER 10001:10001
ENTRYPOINT ["dotnet", "EstateReportingAPI.dll"]

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • f.feedz.io
    • Triggering command: /usr/bin/dotnet dotnet restore EstateReportingAPI.sln (dns block)
    • Triggering command: /usr/bin/dotnet dotnet restore EstateReportingAPI/EstateReportingAPI.csproj (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>[Security] By not specifying a USER, a program in the container may run as 'root'. This is a security hazard.</issue_title>
<issue_description>

Codacy ID: 43110db9c4d74c6bb872c415b7388f35

File: EstateReportingAPI/Dockerfile
Line: 24
Rule: Security (High)
Commit: 35ddf021c1ad4f674c3c48ee9c45313b93ba2553

Message: By not specifying a USER, a program in the container may run as 'root'. This is a security hazard.

**Code Snippet:**
```csharp
ENTRYPOINT ["dotnet", "EstateReportingAPI.dll"] 
```

</issue_description>

Comments on the Issue (you are @copilot in this section)

📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.

@StuartFerguson
fix: run container as non-root user
cb3255d 
Co-authored-by: StuartFerguson <16325469+StuartFerguson@users.noreply.github.com>
Copilot AI changed the title [WIP] [Security] Specify a USER in Dockerfile to avoid root execution Run the API container as a non-root user Mar 16, 2026
Copilot AI requested a review from StuartFerguson March 16, 2026 14:06
@StuartFerguson StuartFerguson marked this pull request as ready for review March 16, 2026 14:20
@StuartFerguson StuartFerguson merged commit 6ae3b54 into main Mar 16, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@StuartFerguson StuartFerguson Awaiting requested review from StuartFerguson

Assignees

@StuartFerguson StuartFerguson

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security] By not specifying a USER, a program in the container may run as 'root'. This is a security hazard.

2 participants

@StuartFerguson