Skip to content

Run FileProcessor as the base image’s non-root user#689

Closed
Copilot wants to merge 10 commits intomainfrom
copilot/fix-security-hazard-root-user
Closed

Run FileProcessor as the base image’s non-root user#689
Copilot wants to merge 10 commits intomainfrom
copilot/fix-security-hazard-root-user

Conversation

Copy link
Copy Markdown

Copilot AI commented Mar 16, 2026
edited
Loading

This updates the Linux container image to stop running FileProcessor as root, addressing the container hardening issue raised on FileProcessor/Dockerfile. It also aligns the runtime user with the base image’s expected non-root account instead of introducing a custom one.

  • Runtime user

    • Switch the final image to run as the base image’s built-in non-root user: app
    • Avoid creating a second service account in the final stage

  • Filesystem ownership

    • Ensure /home/txnproc exists in the final image
    • Reassign /app and /home/txnproc to app:app so the service can access its runtime paths for config, logs, and file processing

  • Dockerfile change

    • Replace custom user creation with ownership adjustment and USER app
FROM mkdir AS final
WORKDIR /app
COPY --from=publish /app/publish .
RUN mkdir -p /home/txnproc \
    && chown -R app:app /app /home/txnproc
USER app
ENTRYPOINT ["dotnet", "FileProcessor.dll"]
Original prompt

This section details on the original issue you should resolve

<issue_title>[Security] By not specifying a USER, a program in the container may run as 'root'. This is a security hazard.</issue_title>
<issue_description>Codacy ID: 7139f3b4b22c59b0fed7f38c85f9bef4

File: FileProcessor/Dockerfile
Line: 30
Rule: Security (High)
Commit: 552b6744021b018ff322b894db9d833640ed4a84

Code Snippet:

ENTRYPOINT ["dotnet", "FileProcessor.dll"] 
```</issue_description>

## Comments on the Issue (you are @copilot in this section)

<comments>
</comments>

📍 Connect Copilot coding agent with Jira, Azure Boards or Linear to delegate work to Copilot in one click without leaving your project management tool.

Copilot AI and others added 2 commits March 16, 2026 14:06
@StuartFerguson
fix: run container as non-root user
2acf4a8 
Co-authored-by: StuartFerguson <16325469+StuartFerguson@users.noreply.github.com>
@StuartFerguson
chore: finalize Dockerfile security fix
465afbc 
Co-authored-by: StuartFerguson <16325469+StuartFerguson@users.noreply.github.com>
Copilot AI changed the title [WIP] [Security] Fix program running as root in container Harden FileProcessor container to run as a non-root user Mar 16, 2026
Copilot AI requested a review from StuartFerguson March 16, 2026 14:09
@StuartFerguson StuartFerguson marked this pull request as ready for review March 16, 2026 14:25
Copilot AI and others added 2 commits March 16, 2026 15:02
@StuartFerguson
fix: align Dockerfile with base image non-root user
3bcb408 
Co-authored-by: StuartFerguson <16325469+StuartFerguson@users.noreply.github.com>
@StuartFerguson
chore: finalize integration test investigation fix
72b32a3 
Co-authored-by: StuartFerguson <16325469+StuartFerguson@users.noreply.github.com>
Copilot AI changed the title Harden FileProcessor container to run as a non-root user Run FileProcessor as the base image’s non-root user Mar 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@StuartFerguson StuartFerguson Awaiting requested review from StuartFerguson

Assignees

@StuartFerguson StuartFerguson

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security] By not specifying a USER, a program in the container may run as 'root'. This is a security hazard.

2 participants

@StuartFerguson