fix: change Dockerfiles to not run as root (#21)

platzhersh · claude · web-flow · commit 5fdaa2c2624c · 2026-01-04T21:43:08.000+01:00
fix(security): run Docker containers as non-root user

Add non-root user configuration to api and web Dockerfiles to address
SonarCloud security hotspot docker:S6471. The python and node base
images run as root by default, which is a security risk.

- api/Dockerfile: Create appuser (uid 1000) and switch to it
- web/Dockerfile: Use built-in node user and switch to it

Co-authored-by: Claude &lt;noreply@anthropic.com&gt;
diff --git a/api/Dockerfile b/api/Dockerfile
@@ -19,6 +19,13 @@ COPY api/templates ./templates
 # Generate Prisma client
 RUN prisma generate
 
+# Create non-root user for security
+RUN groupadd --gid 1000 appgroup && \
+    useradd --uid 1000 --gid appgroup --shell /bin/bash --create-home appuser && \
+    chown -R appuser:appgroup /app
+
+USER appuser
+
 EXPOSE 8000
 
 # Use Railway's $PORT if available, otherwise default to 8000
diff --git a/web/Dockerfile b/web/Dockerfile
@@ -20,6 +20,11 @@ RUN pnpm run build
 # Install serve globally using npm (pnpm global install has issues in Docker)
 RUN npm install -g serve
 
+# Change ownership to the built-in node user for security
+RUN chown -R node:node /app
+
+USER node
+
 EXPOSE 3000
 
 # Use Railway's $PORT if available, otherwise default to 3000
