Move USER and remove redundant --chown from Dockerfile (#53441)
### What? In the Dockerfile example: * Moves the `USER` command above the `COPY`s * Removes the `--chown` on the `COPY`s > **Note** > I don't know for 100% sure this won't have unintended side effects. Part of my motivation for opening this PR is to sense check whether we will be causing a regression by making this change in our own projects. > > Please let me know if there's any concerns with this! ### Why? Sonar security scanner flags this Dockerfile as having "security hotspots" due to the use of `--chown` https://rules.sonarsource.com/docker/RSPEC-6504/ ### How? Make the `--chown`s redundant by setting the current user before doing the `COPY` commands.
This commit is contained in:
Stef
GitHub
parent
b7c9604cc7
commit
39c06ae95e
1 changed files with 4 additions and 4 deletions
|
|
@ -43,14 +43,14 @@ ENV NODE_ENV production
|
|||
RUN addgroup --system --gid 1001 nodejs
|
||||
RUN adduser --system --uid 1001 nextjs
|
||||
|
||||
USER nextjs
|
||||
|
||||
COPY --from=builder /app/public ./public
|
||||
|
||||
# Automatically leverage output traces to reduce image size
|
||||
# https://nextjs.org/docs/advanced-features/output-file-tracing
|
||||
COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
|
||||
COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
|
||||
|
||||
USER nextjs
|
||||
COPY --from=builder /app/.next/standalone ./
|
||||
COPY --from=builder /app/.next/static ./.next/static
|
||||
|
||||
EXPOSE 3000
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue