run as nonroot

mms-gianni · mms-gianni · commit 3be8e0467416 · 2023-10-03T15:58:32.000+02:00
diff --git a/src/modules/kubectl.ts b/src/modules/kubectl.ts
@@ -574,6 +574,9 @@ export class Kubectl {
                     },
                     spec: {
                         restartPolicy: 'Never',
+                        securityContext: {
+                            runAsUser: 1000
+                        },
                         containers: [
                             {
                                 name: 'trivy-repo-scan',
@@ -589,6 +592,8 @@ export class Kubectl {
                                     "json",
                                     "--scanners",
                                     "vuln,secret,config",
+                                    "--cache-dir",
+                                    "/tmp/trivy",
                                     "--exit-code",
                                     "0"
                                 ],
@@ -627,6 +632,9 @@ export class Kubectl {
                     },
                     spec: {
                         restartPolicy: 'Never',
+                        securityContext: {
+                            runAsUser: 1000
+                        },
                         containers: [
                             {
                                 name: 'trivy-repo-scan',
@@ -640,6 +648,8 @@ export class Kubectl {
                                     "json",
                                     "--scanners",
                                     "vuln",
+                                    "--cache-dir",
+                                    "/tmp/trivy",
                                     "--exit-code",
                                     "0"
                                 ],
