Skip to content

Stuart/unify contributor scripts #125

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
stuartcmehrens wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Stuart/unify contributor scripts #125

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
122f082
add optional file name argument to gh contrib script
stuartcmehrens May 21, 2025
a1cdaa0
create cli and commands for all scms for contributor data
stuartcmehrens Jun 25, 2025
b163554
update readme to reflect correct commands and options
stuartcmehrens Sep 15, 2025
83bbd16
remove whitespace
stuartcmehrens Sep 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 57 additions & 0 deletions utilities/contributors/.dockerignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
# Python
__pycache__/
*.py[cod]
*$py.class
*.so
.Python
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
wheels/
*.egg-info/
.installed.cfg
*.egg

# Virtual environments
.env
.venv
env/
venv/
ENV/
env.bak/
venv.bak/

# IDE
.vscode/
.idea/
*.swp
*.swo

# OS
.DS_Store
Thumbs.db

# Git
.git/
.gitignore

# Test files
test.json
*-test.json
*.log
tests/

# Documentation
README.md

# Docker
Dockerfile
.dockerignore
27 changes: 27 additions & 0 deletions utilities/contributors/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# Python
__pycache__/
*.py[cod]
*$py.class
*.so
.Python
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
wheels/
*.egg-info/
.installed.cfg
*.egg

*.json
.python-version
.venv/
tests/data/*
!tests/data/.gitkeep
17 changes: 17 additions & 0 deletions utilities/contributors/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
FROM ghcr.io/astral-sh/uv:python3.12-bookworm-slim

WORKDIR /app
ENV UV_COMPILE_BYTECODE=1
ENV UV_LINK_MODE=copy

COPY pyproject.toml uv.lock /app/
RUN --mount=type=cache,target=/root/.cache/uv \
uv sync --locked --no-install-project --no-dev

COPY . /app
RUN --mount=type=cache,target=/root/.cache/uv \
uv pip install . --no-deps

ENV PATH="/app/.venv/bin:$PATH"

ENTRYPOINT ["semgrep-contributors"]
Copy link

@semgrep-code2-r2c-cse semgrep-code2-r2c-cse bot Sep 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:
By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.

To resolve this comment:

✨ Commit Assistant fix suggestion

Suggested change
ENTRYPOINT ["semgrep-contributors"]
FROM ghcr.io/astral-sh/uv:python3.12-bookworm-slim
WORKDIR /app
ENV UV_COMPILE_BYTECODE=1
ENV UV_LINK_MODE=copy
COPY pyproject.toml uv.lock /app/
RUN --mount=type=cache,target=/root/.cache/uv \
uv sync --locked --no-install-project --no-dev
COPY . /app
RUN --mount=type=cache,target=/root/.cache/uv \
uv pip install . --no-deps
ENV PATH="/app/.venv/bin:$PATH"
# Create non-root user 'appuser' with UID 1000
RUN useradd -m -u 1000 appuser && \
chown -R appuser /app
# Switch to non-root user
USER appuser
ENTRYPOINT ["semgrep-contributors"]
View step-by-step instructions
  1. Add a non-root user to your Dockerfile after installing your dependencies but before setting the ENTRYPOINT.
    For example, add RUN useradd -m -u 1000 appuser to create a new user named appuser.
  2. Change the active user by adding USER appuser before the ENTRYPOINT line.
    For example: 
    RUN useradd -m -u 1000 appuser
USER appuser
ENTRYPOINT ["semgrep-contributors"]
  3. Make sure any files or directories your app needs write access to are owned or writable by appuser.
    You can use a command like RUN chown -R appuser /app if needed.
💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by missing-user-entrypoint.

You can view more details about this finding in the Semgrep AppSec Platform.

Loading