ci: harden Java dedup Docker sample

Signed-off-by: Asish Kumar <officialasishkumar@gmail.com>

Author: officialasishkumar

java-dedup/Dockerfile

@@ -2,10 +2,15 @@ ARG JAVA_VERSION=8
 FROM eclipse-temurin:${JAVA_VERSION}-jre
 
 WORKDIR /app
-COPY target/java-dedup-0.0.1-SNAPSHOT.jar /app/app.jar
-COPY target/jacocoagent.jar /app/jacocoagent.jar
-COPY target/classes /app/target/classes
+
+RUN groupadd --gid 10001 appuser \
+    && useradd --uid 10001 --gid 10001 --home-dir /home/appuser --create-home --shell /usr/sbin/nologin appuser
+
+COPY --chown=10001:10001 target/java-dedup-0.0.1-SNAPSHOT.jar /app/app.jar
+COPY --chown=10001:10001 target/jacocoagent.jar /app/jacocoagent.jar
+COPY --chown=10001:10001 target/classes /app/target/classes
 
 ENV KEPLOY_JAVA_CLASS_DIRS=/app/target/classes
 EXPOSE 8080
+USER 10001:10001
 ENTRYPOINT ["java", "-javaagent:/app/jacocoagent.jar=address=127.0.0.1,port=36320,destfile=/tmp/jacoco-keploy.exec,output=tcpserver", "-jar", "/app/app.jar"]

java-dedup/README.md

@@ -35,7 +35,7 @@ Run it with Docker Compose after the Maven package step has created `target/java
 docker compose up --build
 ```
 
-For a more restricted container run:
+The image runs as a non-root user. For a more restricted container run with a read-only root filesystem, dropped capabilities, `no-new-privileges`, and a writable `/tmp` tmpfs:
 
 ```bash
 docker compose -f docker-compose.yml -f docker-compose.restricted.yml up --build

java-dedup/docker-compose.restricted.yml

@@ -2,7 +2,7 @@ services:
   java-dedup:
     read_only: true
     tmpfs:
-      - /tmp
+      - /tmp:rw,nosuid,nodev,mode=1777
     cap_drop:
       - ALL
     security_opt: