Run container as codeql user instead of root. (#42)

* Changed the codeql repository permission to be accessible to other user's other than root. Container starts as the codeql user instead of root. * Changed the ownership of the codeql repos within the home directory to codeql Co-authored-by: Cameron McDougall <[email protected]>
microsoft · Aug 6, 2022 · 4632664 · 4632664
1 parent 4e95116
commit 4632664
Showing 1 changed file with 14 additions and 4 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -4,8 +4,12 @@ LABEL maintainer="Github codeql team"
 # tzdata install needs to be non-interactive
 ENV DEBIAN_FRONTEND=noninteractive
 
-# install/update basics and python
-RUN apt-get update && \
+ARG USERNAME=codeql
+ENV CODEQL_HOME /usr/local/codeql-home
+
+# create user, install/update basics and python
+RUN adduser --home ${CODEQL_HOME} ${USERNAME} && \
+    apt-get update && \
     apt-get upgrade -y && \
     apt-get install -y --no-install-recommends \
     	software-properties-common \
@@ -54,10 +58,10 @@ RUN pip3 install --upgrade pip \
     && pip3 install -r /usr/local/startup_scripts/requirements.txt
 
 # Install latest codeQL
-ENV CODEQL_HOME /usr/local/codeql-home
+
 # record the latest version of the codeql-cli
 RUN python3 /usr/local/startup_scripts/get-latest-codeql-version.py > /tmp/codeql_version
-RUN mkdir -p ${CODEQL_HOME} \
+RUN mkdir -p \
     ${CODEQL_HOME}/codeql-repo \
     ${CODEQL_HOME}/codeql-go-repo \
     /opt/codeql
@@ -80,4 +84,10 @@ RUN codeql query compile --threads=0 ${CODEQL_HOME}/codeql-repo/*/ql/src/codeql-
 RUN codeql query compile --threads=0 ${CODEQL_HOME}/codeql-go-repo/ql/src/codeql-suites/*.qls --additional-packs=.
 
 ENV PYTHONIOENCODING=utf-8
+
+# Change ownership of all files and directories within CODEQL_HOME to the codeql user
+RUN chown -R ${USERNAME}:${USERNAME} ${CODEQL_HOME}
+
+USER ${USERNAME}
+
 ENTRYPOINT ["python3", "/usr/local/startup_scripts/startup.py"]