Skip to content

Run MessagingService container as a non-root user#368

Merged
StuartFerguson merged 3 commits intomasterfrom
copilot/fix-root-user-security-issue
Mar 16, 2026
Merged

Run MessagingService container as a non-root user#368
StuartFerguson merged 3 commits intomasterfrom
copilot/fix-root-user-security-issue

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 16, 2026
edited
Loading

Codacy flagged MessagingService/Dockerfile because the final Linux container image did not specify a runtime user, allowing the process to run as root. This change sets an explicit non-root user in the final image stage.

  • Container runtime hardening

    • Added an explicit USER directive to the final stage of MessagingService/Dockerfile
    • Ensures dotnet MessagingService.dll does not start as root by default

  • Scope

    • Limited to the final runtime image stage
    • No changes to build/publish steps or application behavior

  • Resulting Dockerfile change

    FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
USER 10001
ENTRYPOINT ["dotnet", "MessagingService.dll"]

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • f.feedz.io
    • Triggering command: /usr/bin/dotnet dotnet restore MessagingService.sln (dns block)
    • Triggering command: /usr/bin/dotnet dotnet restore MessagingService/MessagingService.csproj (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>[Security] By not specifying a USER, a program in the container may run as 'root'. This is a security hazard.</issue_title>
<issue_description>

Codacy ID: abce298abca6d610008b217b22d765da

File: MessagingService/Dockerfile
Line: 34
Rule: Security (High)
Commit: c615e72147bf1f47ec301470ae5601fd52f5406f

Message: By not specifying a USER, a program in the container may run as 'root'. This is a security hazard.

**Code Snippet:**
```csharp
ENTRYPOINT ["dotnet", "MessagingService.dll"] 
```

</issue_description>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@StuartFerguson
Run MessagingService container as non-root
b5f418c 
Co-authored-by: StuartFerguson <16325469+StuartFerguson@users.noreply.github.com>
Copilot AI changed the title [WIP] [SECURITY] Fix container USER specification to avoid root access Run MessagingService container as a non-root user Mar 16, 2026
Copilot AI requested a review from StuartFerguson March 16, 2026 14:10
@StuartFerguson StuartFerguson marked this pull request as ready for review March 16, 2026 14:25
@StuartFerguson StuartFerguson merged commit 64246ad into master Mar 16, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@StuartFerguson StuartFerguson Awaiting requested review from StuartFerguson

Assignees

@StuartFerguson StuartFerguson

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security] By not specifying a USER, a program in the container may run as 'root'. This is a security hazard.

2 participants

@StuartFerguson