From e19b8dfc7ce66ec7c2c4a38bd14051049a18f45c Mon Sep 17 00:00:00 2001 From: Florian Beisel Date: Fri, 12 Jan 2024 20:12:34 +0100 Subject: [PATCH] refactor(Docker): :boom: Changes Dockerfile to more closely adhere to best practice This commit changes the Dockerfile to adhere closer to the standards set by tools like Sonarqube et al. It enforces the usage of a nonroot user, copies files explicitly between build stages and makes the binary filename consistent with our binary releases fix: #3 --- Dockerfile | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 436a1d5..6294714 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,19 +5,36 @@ FROM golang:alpine3.19 AS builder WORKDIR /app # Copy the source code into the container -COPY . . +COPY go.mod . +COPY go.sum . + +# Download required modules RUN go mod download +# Copy the main application file +COPY main.go . + # Build the application -RUN CGO_ENABLED=0 GOOS=linux go build -o mybot . +RUN CGO_ENABLED=0 GOOS=linux go build -o gitea-register-account-bot . # Use a small base image FROM alpine:edge +# Create and set the application directory WORKDIR /app/ +# Add a non-root user to run the application +RUN addgroup -S nonroot \ + && adduser -S nonroot -G nonroot + # Copy the binary from the builder stage -COPY --from=builder /app/mybot /app/ +COPY --from=builder /app/gitea-register-account-bot /app/ + +# Change file ownership to the nonroot user +RUN chown -R nonroot:nonroot /app + +# Change to nonroot user +USER nonroot # Command to run the executable -CMD ["./mybot"] +CMD ["./gitea-register-account-bot"]