Merge pull request #971 from l3montree-dev/chore/improve-oci-stuff

seb-kw · web-flow · commit 643f3f522e5d · 2025-08-05T15:09:13.000+02:00
Sets nonroot user for devguard api image, in helm default values and improves docker compose try it
diff --git a/Dockerfile b/Dockerfile
@@ -24,15 +24,17 @@ ENV FLAGS="ldflags='-X main.release=devguard@${GITHUB_REF_NAME}'"
 RUN CGO_ENABLED=0 make devguard
 RUN CGO_ENABLED=0 make devguard-cli
 
-FROM gcr.io/distroless/static-debian12@sha256:b7b9a6953e7bed6baaf37329331051d7bdc1b99c885f6dbeb72d75b1baad54f9
+FROM gcr.io/distroless/static-debian12:nonroot@sha256:cdf4daaf154e3e27cfffc799c16f343a384228f38646928a1513d925f473cb46
+
+USER 53111
 
 WORKDIR /
 
-COPY config/rbac_model.conf /config/rbac_model.conf
-COPY --from=build /go/src/app/devguard /usr/local/bin/devguard
-COPY --from=build /go/src/app/devguard-cli /usr/local/bin/devguard-cli
-COPY templates /templates
-COPY intoto-public-key.pem /intoto-public-key.pem
-COPY cosign.pub /cosign.pub
+COPY --chown=53111:53111 config/rbac_model.conf /config/rbac_model.conf
+COPY --chown=53111:53111 --from=build /go/src/app/devguard /usr/local/bin/devguard
+COPY --chown=53111:53111 --from=build /go/src/app/devguard-cli /usr/local/bin/devguard-cli
+COPY --chown=53111:53111 templates /templates
+COPY --chown=53111:53111 intoto-public-key.pem /intoto-public-key.pem
+COPY --chown=53111:53111 cosign.pub /cosign.pub
 
 CMD ["devguard"]
diff --git a/charts/devguard/values.yaml b/charts/devguard/values.yaml
@@ -44,9 +44,11 @@ api:
     capabilities:
       drop:
         - ALL
-    #readOnlyRootFilesystem: true
-    #runAsNonRoot: true
-    #runAsUser: 1000
+    seccompProfile:
+      type: RuntimeDefault
+    allowPrivilegeEscalation: false
+    runAsNonRoot: true
+    runAsUser: 53111
 
   autoscaling:
     enabled: false
diff --git a/docker-compose-try-it.yaml b/docker-compose-try-it.yaml
@@ -4,6 +4,8 @@ services:
   postgresql:
     image: ghcr.io/l3montree-dev/devguard/postgresql:0.13.4
     container_name: devguard-postgres
+    security_opt:
+      - no-new-privileges:true 
     environment:
       POSTGRES_USER: postgres
       POSTGRES_PASSWORD: password
@@ -23,6 +25,10 @@ services:
 
   kratos-migrate:
     image: oryd/kratos:v1.3.1
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
     depends_on:
       postgresql:
         condition: service_healthy
@@ -39,6 +45,11 @@ services:
   kratos:
     image: oryd/kratos:v1.3.1
     container_name: devguard-kratos
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    user: "53111"
     depends_on:
       postgresql:
         condition: service_healthy
@@ -62,6 +73,11 @@ services:
   devguard-api:
     image: ghcr.io/l3montree-dev/devguard:0.13.4
     container_name: devguard-api
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    user: "53111"
     depends_on:
       postgresql:
         condition: service_healthy
@@ -87,6 +103,10 @@ services:
   devguard-web:
     image: ghcr.io/l3montree-dev/devguard-web:0.13.4
     container_name: devguard-web
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
     depends_on:
       - devguard-api
     ports:
