Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ASH Running as non-root user #109

Open
wants to merge 37 commits into
base: main
Choose a base branch
from
Open

ASH Running as non-root user #109

wants to merge 37 commits into from

Conversation

rafaelpereyra
Copy link
Contributor

@rafaelpereyra rafaelpereyra commented Oct 28, 2024
edited
Loading

Issue #, if available:
N/A
Description of changes:
Rebase from main with changes in #79 .

In this PR we made the following changes:

  • Run ash as non-root user to comply with the security scans (ASH on ASH) and best practices.
  • Create a CI version of the docker file that still runs as root to comply with the different requirements from building platforms where UID/GID cannot be modified and there are additional agents installed at runtime that requires elevated privileges.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

climbertjh2 and others added 25 commits April 29, 2024 12:36
@climbertjh2
feat: run ASH image using non-root user
f8d6c23
@climbertjh2
feat: run ASH image using non-root user
13c903c
@climbertjh2
feat: run ASH image using non-root user
ed5ff23
@climbertjh2
feat: run ASH image using non-root user
28f304a
@climbertjh2
feat: run ASH image using non-root user
6654e55
@climbertjh2
feat: run ASH image using non-root user
55f30df
@climbertjh2
feat: run ASH image using non-root user
89ad81d
@climbertjh2
feat: run ASH image using non-root user
f2bf018
@climbertjh2
feat: run ASH image using non-root user
ad8ccd8
@climbertjh2
feat: run ASH image using non-root user
82df7b0
@climbertjh2
feat: run ASH image using non-root user
f681a3b
@climbertjh2
feat: run ASH image using non-root user
f23f392
@climbertjh2
feat: run ASH image using non-root user
683bf42
@climbertjh2
feat: run ASH image using non-root user
46e15b1
@climbertjh2
feat: run ASH image using non-root user
40f49b7
@climbertjh2
Merge branch 'main' into feature/78/run-container-non-root
0051166
@climbertjh2
chore: fix auto-merge updates
0f748d7
@climbertjh2
Merge branch 'main' into feature/78/run-container-non-root
ce6cfff
@climbertjh2
fix: always set UID/GID build-arg values when building the ASH contai…
e41adbb 
…ner image
@climbertjh2
Merge branch 'main' into feature/78/run-container-non-root
6e0c800
@climbertjh2
chore: fix EOL characters in file
26c83de
@climbertjh2
Merge branch 'awslabs:main' into feature/78/run-container-non-root
e5d85fe
@climbertjh2
Merge branch 'feature/78/run-container-non-root' of github.com:climbe…
b579ef1 
…rtjh2/automated-security-helper into feature/78/run-container-non-root
@rapgaws
Merge remote-tracking branch 'origin/main' into climbertjh2-feature/7…
20b7e71 
…8/run-container-non-root
@rafaelpereyra
Fixed Grype database permissions
e8b4621
climbertjh2
climbertjh2 requested changes Oct 28, 2024
View reviewed changes
Copy link
Contributor

@climbertjh2 climbertjh2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Requesting one minor change.

Dockerfile Outdated Show resolved Hide resolved
climbertjh2
climbertjh2 previously approved these changes Oct 28, 2024
View reviewed changes
Copy link
Contributor

@climbertjh2 climbertjh2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good to me.

rafaelpereyra
rafaelpereyra commented Oct 30, 2024
View reviewed changes
Copy link
Contributor Author

@rafaelpereyra rafaelpereyra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Check 777 permission on /src and /out folders

Dockerfile Outdated Show resolved Hide resolved
@climbertjh2
Copy link
Contributor

This is better than where we started - so I'm good with merging.

scrthq
scrthq previously approved these changes Nov 1, 2024
View reviewed changes
@rafaelpereyra
Copy link
Contributor Author

Includes changes from #79

@rafaelpereyra rafaelpereyra changed the title Merge from main ASH Running as non-root user Nov 1, 2024
scrthq
scrthq previously approved these changes Nov 1, 2024
View reviewed changes
awsmadi
awsmadi approved these changes Nov 12, 2024
View reviewed changes
Copy link
Contributor

@awsmadi awsmadi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks great!

climbertjh2
climbertjh2 approved these changes Nov 13, 2024
View reviewed changes
Copy link
Contributor

@climbertjh2 climbertjh2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me.

I understand the addition of --target to the command-line options, since it is similar to the docker build command-line option of --target. However, in the context of the ash command-line, I think it might cause some confusion.

Also, in the command-line help, it says image to build - it probably should say image to run/build.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@awsmadi awsmadi awsmadi approved these changes

@climbertjh2 climbertjh2 climbertjh2 approved these changes

@scrthq scrthq scrthq left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@rafaelpereyra @climbertjh2 @scrthq @awsmadi @rapgaws