Add securityContext to lurcher

Author: J12934

lurcher/Dockerfile

@@ -20,6 +20,5 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o lurcher
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /
 COPY --from=builder /workspace/lurcher .
-USER nonroot:nonroot
 
 ENTRYPOINT ["/lurcher"]

operator/controllers/execution/scans/scan_reconciler.go

@@ -221,6 +221,9 @@ func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanType *e
 		return nil, fmt.Errorf("Unknown imagePull Policy for lurcher: %s", lurcherPullPolicyRaw)
 	}
 
+	falsePointer := false
+	truePointer := true
+
 	lurcherSidecar := &corev1.Container{
 		Name:            "lurcher",
 		Image:           lurcherImage,
@@ -260,6 +263,15 @@ func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanType *e
 				ReadOnly:  true,
 			},
 		},
+		SecurityContext: &corev1.SecurityContext{
+			RunAsNonRoot:             &truePointer,
+			AllowPrivilegeEscalation: &falsePointer,
+			ReadOnlyRootFilesystem:   &truePointer,
+			Privileged:               &falsePointer,
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"all"},
+			},
+		},
 	}
 
 	job.Spec.Template.Spec.Containers = append(job.Spec.Template.Spec.Containers, *lurcherSidecar)