Ensure minimal execution of 'chown'
Immutable containers do not update their code automatically at runtime and, in this way, you can prevent your running application from being accidentally or maliciously modified.
Risk Level: informational
Platform: Docker
Spectral Rule ID: DOCKR011
REMEDIATION
Most of the time, you can just drop the chown option. The app user only needs execution permissions on the file, not ownership.
WORKDIR $APP_HOME
- COPY --chown=app:app app-src/ /app
+ COPY app-src/ /app
USER app
ENTRYPOINT /app/main.sh
Read more:
- TBD
Updated about 1 year ago