Fix container running as root in Dockerfile

[Copilot]

Without a USER instruction, the container process runs as root, violating least-privilege principles and flagged as a high-severity security issue by Codacy.

Changes

• TransactionProcessor/Dockerfile: In the final stage, create a dedicated non-root user (appuser) with explicit UID/GID 10001, no login shell, and switch to it before the entrypoint. The COPY instruction also sets ownership directly via --chown=appuser:appuser.

RUN groupadd --gid 10001 appuser \
    && useradd --uid 10001 --gid appuser --shell /usr/sbin/nologin appuser
COPY --from=publish --chown=appuser:appuser /app/publish .
USER appuser
ENTRYPOINT ["dotnet", "TransactionProcessor.dll"]

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{TIP This summary will be updated as you push new changes. Give us feedback}

[StuartFerguson]

@copilot here is what was done in one of my other repositories

FROM base AS final
WORKDIR /app
RUN groupadd --gid 10001 appuser
&& useradd --uid 10001 --gid appuser --shell /usr/sbin/nologin appuser
COPY --from=publish --chown=appuser:appuser /app/publish .
USER appuser
ENTRYPOINT ["dotnet", "TransactionProcessorACL.dll"]

[Copilot]

@copilot here is what was done in one of my other repositories

FROM base AS final
...

Updated in commit 29f4d0f to match that pattern — explicit UID/GID 10001, --shell /usr/sbin/nologin, and --chown=appuser:appuser on the COPY instruction.

[StuartFerguson]

@copilot my docker container now doesnt start in my integration tests, can you have a look why this could be

[Copilot]

@copilot my docker container now doesnt start in my integration tests, can you have a look why this could be

The container was crashing before Kestrel could start because StatementFilePollerService.Start() calls Directory.CreateDirectory("/home/txnproc/statements/outbound") during app startup (app.PreWarm()). The /home/txnproc/ directory in the base image is owned by root, so appuser got an UnauthorizedAccessException, which caused the process to exit before ever binding to port 5002 — hence the "Connection refused" health check failures.

Fixed in commit 9d4d7a9: the RUN step in the final stage now pre-creates /home/txnproc/statements/outbound and runs chown -R appuser:appuser /home/txnproc so appuser owns the entire directory tree (trace logs, config, and the statements listening directory) before the app starts.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• f.feedz.io
  • Triggering command: /usr/bin/dotnet dotnet restore TransactionProcessor/TransactionProcessor.csproj grep -l er\|TransactionProcessorContainer\|txnprocbase\|aspnetapp cessor/TransactionProcessor/TransactionProcessor.BusinessLogic/Services/StatementBuilder.cs rep aspnetapp ionValidationSer--norc de/node/bin/grep--noprofile grep -l ProcessorContainer\|TransactionProcessorContainer\|txnprocbase\|aspnetapp onProcessor/TransactionProcessor.Reconciliation.DomainEvents/TransactionProcessor.Reconciliationstatus nfig/composer/vendor/bin/grep aspnetapp s.Tests.csproj rep grep (dns block)
  • Triggering command: /usr/bin/dotnet dotnet test TransactionProcessor.Tests/TransactionProcessor.Tests.csproj --no-restore -nologo ProcessorContainer\|TransactionProcessorContainer\|txnprocbase\|aspnetapp onProcessor/TransactionProcessor.Aggregates.Tests/TransactionProcessor.Aggregates.Tests.csproj nfig/composer/vendor/bin/grep aspnetapp DomainService.csls-files rep grep -l ProcessorContainer\|TransactionProcessorContainer\|txnprocbase\|aspnetapp onProcessor/TransactionProcessor.DomainEvents/TransactionProcessor.DomainEvents.csproj /home/REDACTED/.local/bin/grep aspnetapp oj nfig/composer/vendor/bin/grep grep (dns block)
  • Triggering command: /usr/bin/dotnet dotnet test TransactionProcessor.Tests/TransactionProcessor.Tests.csproj --no-restore -nologo ProcessorContain-nxv onProcessor/TransactionProcessor.IntegrationTests/TransactionProcessor.IntegrationTests.csproj ep aspnetapp ionValidationExc-c tnet/tools/grep grep -l (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)