fix: Add non-root user to scratch go containers #1231
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR fixes a security issue where Go Docker images built from scratch were running as root by adding a non-root user configuration. The fix addresses issue #1227 by setting the USER directive to 1001:1001 in all Go container Dockerfiles.
Key changes:
- Added USER 1001:1001 directive to run containers as non-root
- Standardized multi-platform build comments across Dockerfiles
- Fixed LABEL syntax for better compliance
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| mcp-servers/templates/go/Dockerfile.jinja | Template updated with non-root user and standardized comments |
| mcp-servers/go/fast-time-server/Dockerfile | Applied non-root user fix and comment standardization |
| mcp-servers/go/benchmark-server/Dockerfile | Applied non-root user fix with minimal changes |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
|
|
||
| FROM --platform=$TARGETPLATFORM golang:{{ go_version }} AS builder | ||
| # This build supports multi-platform builds through standard Docker Buildx | ||
| # techniques, including the $TARGETPLATFORM environment veriable. |
There was a problem hiding this comment.
Corrected spelling of 'veriable' to 'variable'.
| # techniques, including the $TARGETPLATFORM environment veriable. | |
| # techniques, including the $TARGETPLATFORM environment variable. |
| # # now visit http://localhost:8080/sse or http://localhost:8080/http | ||
| # | ||
| # This build supports multi-platform builds through standard Docker Buildx | ||
| # techniques, including the $TARGETPLATFORM environment veriable. |
There was a problem hiding this comment.
Corrected spelling of 'veriable' to 'variable'.
| # techniques, including the $TARGETPLATFORM environment veriable. | |
| # techniques, including the $TARGETPLATFORM environment variable. |
| @@ -1,4 +1,6 @@ | |||
| FROM --platform=$TARGETPLATFORM golang:1.23 AS builder | |||
| # This build supports multi-platform builds through standard Docker Buildx | |||
| # techniques, including the $TARGETPLATFORM environment veriable. | |||
There was a problem hiding this comment.
Corrected spelling of 'veriable' to 'variable'.
| # techniques, including the $TARGETPLATFORM environment veriable. | |
| # techniques, including the $TARGETPLATFORM environment variable. |
|
Oh, cool! Yeah, the mcp-server images need the same attention as the regular contextforge build, thanks for the PR ;-) |
* fix: Add non-root user to scratch go containers * fix: spelling corrections Signed-off-by: p4yl04d3r <[email protected]>
2 participants
🐛 Bug-fix PR
Before opening this PR please:
make lint- passesruff,mypy,pylintmake test- all unit + integration tests greenmake coverage- ≥ 90 %make docker docker-run-sslormake podman podman-run-ssl📌 Summary
Go Docker images built from scratch run as root
🔁 Reproduction Steps
Issue #1227
🐞 Root Cause
Images did not set USER
💡 Fix Description
Set USER to 1001
🧪 Verification
make lintmake testmake coverage📐 MCP Compliance (if relevant)
✅ Checklist
make black isort pre-commit)