build(openresty): use non-root user

thomasleplus · thomasleplus · commit a6b28f6328c7 · 2025-09-11T19:52:04.000+02:00
diff --git a/openid-connect-provider-debugger/Dockerfile b/openid-connect-provider-debugger/Dockerfile
@@ -1,8 +1,10 @@
-# checkov:skip=CKV_DOCKER_3: [Missing USER]: inherited from parent image
-# trivy:ignore:AVD-DS-0002: [Missing USER]: inherited from parent image
 FROM openresty/openresty:1.27.1.2-4-alpine-fat@sha256:e93c5ab42fb6c7a882418c2bad0b39b566759f88c3fdd62f97264b621b6cba80
 
 ARG LUA_RESTY_OPENIDC_VERSION="1.8.0-1"
+ARG USER_NAME=openresty
+ARG USER_HOME=/home/openresty
+ARG USER_ID=1000
+ARG USER_GECOS=OpenResty
 
 SHELL ["/bin/ash", "-euo", "pipefail", "-c"]
 
@@ -31,4 +33,18 @@ COPY default.conf /etc/nginx/conf.d/
 
 COPY index.html error.html /usr/local/openresty/nginx/html/
 
+RUN adduser \
+  --home "${USER_HOME}" \
+  --uid "${USER_ID}" \
+  --gecos "${USER_GECOS}" \
+  --disabled-password \
+  "${USER_NAME}" \
+  chown -R "${USER_NAME}:${USER_NAME}" /var/run/openresty /usr/local/openresty/nginx/logs
+
+USER "${USER_NAME}"
+
+ENV HOME="${USER_HOME}"
+
+WORKDIR "${HOME}"
+
 EXPOSE 80 443
