Skip to content

Harden Container Runtime with Non-Root User#3941

Merged
wagoodman merged 18 commits intoanchore:mainfrom
MikeTheCyberGuy:main
Jun 5, 2025
Merged

Harden Container Runtime with Non-Root User#3941
wagoodman merged 18 commits intoanchore:mainfrom
MikeTheCyberGuy:main

Conversation

@MikeTheCyberGuy
Copy link
Copy Markdown
Contributor

@MikeTheCyberGuy MikeTheCyberGuy commented May 28, 2025
edited by wagoodman
Loading

This PR makes the following changes:

  • uses gcr.io/distroless/static-debian12 as the base image
  • ensures the built containers are non-root users

In the process of working on this additional docker manifest updates were made:

  • image_templates section was missing from the debug variant
  • the top-level images should be the manifests and the tagged images should always be architecture specific (according to best practices)

Changes

  • Bug fix (non-breaking change which fixes an issue)

Checklist

  • I have added unit tests that cover changed behavior
  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

@MikeTheCyberGuy
Update Dockerfile
15becaa 
Signed-off-by: Michael Briley <michael.briley937@gmail.com>
@MikeTheCyberGuy
Update Dockerfile
7dc7396 
Signed-off-by: Michael Briley <michael.briley937@gmail.com>
@MikeTheCyberGuy
Update validations.yaml
3e04cc7 
Signed-off-by: Michael Briley <michael.briley937@gmail.com>
@MikeTheCyberGuy
Update validations.yaml
3351f09 
Signed-off-by: Michael Briley <michael.briley937@gmail.com>
@MikeTheCyberGuy
Update Dockerfile
027e75a 
Signed-off-by: Michael Briley <michael.briley937@gmail.com>
@MikeTheCyberGuy
Update validations.yaml
4a2b5a7 
Signed-off-by: Michael Briley <michael.briley937@gmail.com>
@MikeTheCyberGuy
Merge branch 'anchore:main' into main
73b5b48
@MikeTheCyberGuy
Update Dockerfile
605f8ac 
Signed-off-by: Michael Briley <michael.briley937@gmail.com>
@spiffcs
Copy link
Copy Markdown
Contributor

spiffcs commented Jun 2, 2025

Running the checks on this now -- thank you for taking the time to improve the security posture of our images!
@anchore/tools do we want to offer these as new separate images or is worth the cost of breaking user pipelines here?

We might have to ensure file permissions are compatible here and set the user before the copy:
RUN chown -R nonroot:nonroot /tmp /syft /other-paths checking this now.

@wagoodman wagoodman added the bug Something isn't working label Jun 3, 2025
wagoodman
wagoodman reviewed Jun 3, 2025
View reviewed changes
Comment thread .github/workflows/validations.yaml Outdated
@MikeTheCyberGuy
Update .goreleaser.yaml
de63f9d 
Signed-off-by: Michael Briley <michael.briley937@gmail.com>
@MikeTheCyberGuy
Update .goreleaser.yaml
8a19fa1 
Signed-off-by: Michael Briley <michael.briley937@gmail.com>
wagoodman
wagoodman reviewed Jun 5, 2025
View reviewed changes
Comment thread Dockerfile Outdated
wagoodman added 4 commits June 5, 2025 11:07
@wagoodman
use distroless/static-debian12:nonroot directly
f5702cf 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman
keep manual manifest curation
6260171 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman
remove qemu usage
e23afca 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman
add smoke test for snapshot
5c9b2c0 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman wagoodman mentioned this pull request Jun 5, 2025
Closed
9 tasks
@wagoodman
Copy link
Copy Markdown
Contributor

wagoodman commented Jun 5, 2025

I refactored this to use the gcr.io/distroless/static-debian12 images directly, so QEMU is not needed (which is much simpler). The difference is that we're using the nonroot tags which should deal with the core issue more simply than needing our own security context stage.

wagoodman added 2 commits June 5, 2025 11:18
@wagoodman
split up manifests section with comments
33d5e92 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman
correct ci step name
52337c7 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman wagoodman changed the title Enable Multi-Arch Builds and Harden Container Runtime with Non-Root User Harden Container Runtime with Non-Root User Jun 5, 2025
wagoodman added 2 commits June 5, 2025 11:39
@wagoodman
fix arch condition
4593fd8 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman
keep path prefix
a71c8a0 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman wagoodman merged commit 868a6a7 into anchore:main Jun 5, 2025
12 checks passed
@wagoodman wagoodman mentioned this pull request Jun 6, 2025
Merged
4 tasks
@BrewTestBot BrewTestBot mentioned this pull request Jun 9, 2025
Merged
spiffcs added a commit that referenced this pull request Jun 9, 2025
@spiffcs
Merge branch 'main' into go-source
c57e191 
* main: (31 commits)
  remove benchmark utils (#3982)
  fix: exclude packages with SPDX GENERATED_FROM source package indication (#3981)
  chore(deps): bump modernc.org/sqlite from 1.37.1 to 1.38.0 (#3979)
  chore(deps): bump github.com/go-git/go-git/v5 from 5.16.1 to 5.16.2 (#3978)
  chore(deps): update tools to latest versions (#3977)
  chore(deps): update CPE dictionary index (#3976)
  chore(deps): bump golang.org/x/net from 0.40.0 to 0.41.0 (#3970)
  chore(deps): bump github.com/sergi/go-diff (#3971)
  Fix Python package dependency detection (#3965)
  fix: Remove three Rust crate false positive CPE matches (#3967)
  Harden Container Runtime with Non-Root User (#3941)
  fix: Remove two Rust crate false positive CPE matches (#3962)
  chore(deps): bump golang.org/x/mod from 0.24.0 to 0.25.0 (#3963)
  chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.12 to 0.5.13 (#3964)
  fix: bump stereoscope to fix symlink performance issue (#3953)
  chore(deps): bump github.com/go-git/go-git/v5 from 5.16.0 to 5.16.1 (#3960)
  chore(deps): bump github/codeql-action from 3.28.18 to 3.28.19 (#3952)
  feat: add syft schema version to version command (#3949)
  chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.11 to 0.5.12 (#3943)
  chore(deps): update tools to latest versions (#3945)
  ...

Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
@kzantow
Copy link
Copy Markdown
Contributor

kzantow commented Jun 12, 2025

Hi @MikeTheCyberGuy 👋 -- due to a number of users having permission issues that were not obvious to workaround, we've reverted the nonroot-by-default (in latest tags), so the latest images are back to using root by default, however we've introduced a "nonroot" tag for users who want to run the nonroot variant; that is to say you will probably want to use anchore/syft:nonroot (and similar for Grype) for your purposes.

@keliansb keliansb mentioned this pull request Aug 4, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@MikeTheCyberGuy @spiffcs @wagoodman @kzantow