add non-root user to frontend and backend containers (#1228)

intuitem · Dec 25, 2024 · 4affdec · 4affdec
1 parent 24cb967
commit 4affdec
Show file tree

Hide file tree

Showing 6 changed files with 21 additions and 12 deletions.
diff --git a/.github/workflows/startup-tests.yml b/.github/workflows/startup-tests.yml
@@ -122,7 +122,10 @@ jobs:
         working-directory: ${{ env.frontend-directory }}
         run: pnpm exec playwright install
       - name: Build the Docker app
-        run: docker compose -f docker-compose-build.yml up -d
+        run: |
+          rm -rf db
+          mkdir db
+          docker compose -f docker-compose-build.yml up -d
       - name: Create backend environment variables file
         working-directory: ${{ env.backend-directory }}
         run: |

diff --git a/backend/Dockerfile b/backend/Dockerfile
@@ -30,6 +30,8 @@ RUN pip install --upgrade pip && \
 RUN poetry install
 RUN rm -rf $POETRY_CACHE_DIR
 
+RUN addgroup -g 1001 -S app && adduser -u 1001 -S -G app app
+USER app
 
 ENTRYPOINT ["poetry", "run",  "bash", "startup.sh"]
 EXPOSE 8000
diff --git a/backend/ciso_assistant/settings.py b/backend/ciso_assistant/settings.py
@@ -375,15 +375,15 @@ def set_ciso_assistant_url(_, __, event_dict):
     # OTHER SETTINGS
 }
 
-HUEY = {
-    "huey_class": "huey.SqliteHuey",  # Huey implementation to use.
-    "name": "huey-ciso-assistant",  # Use db name for huey.
-    "results": True,  # Store return values of tasks.
-    "store_none": False,  # If a task returns None, do not save to results.
-    "immediate": DEBUG,  # If DEBUG=True, run synchronously.
-    "utc": True,  # Use UTC for all times internally.
-    "filename": "db/huey.sqlite3",
-}
+# HUEY = {
+#    "huey_class": "huey.SqliteHuey",  # Huey implementation to use.
+#    "name": "huey-ciso-assistant",  # Use db name for huey.
+#    "results": True,  # Store return values of tasks.
+#    "store_none": False,  # If a task returns None, do not save to results.
+#    "immediate": DEBUG,  # If DEBUG=True, run synchronously.
+#    "utc": True,  # Use UTC for all times internally.
+#    "filename": "db/huey.sqlite3",
+# }
 
 # SSO with allauth
 

diff --git a/backend/startup.sh b/backend/startup.sh
@@ -7,7 +7,7 @@ fi
 
 if [ ! -n "$DJANGO_SECRET_KEY" ]; then
 	if [ ! -f db/django_secret_key ]; then
-		cat /proc/sys/kernel/random/uuid >db/django_secret_key
+		install -m 600 <(cat /proc/sys/kernel/random/uuid) db/django_secret_key
 		echo "generating initial Django secret key"
 	fi
 	export DJANGO_SECRET_KEY=$(<db/django_secret_key)

diff --git a/docker-compose-build.sh b/docker-compose-build.sh
@@ -32,7 +32,7 @@ else
 
   # Simple wait for database migrations
   echo "Giving some time for the database to be ready, please wait ..."
-  sleep 30
+  sleep 60
 
   echo "Initialize your superuser account..."
   docker compose exec backend poetry run python manage.py createsuperuser

diff --git a/frontend/Dockerfile b/frontend/Dockerfile
@@ -21,4 +21,8 @@ COPY package.json .
 EXPOSE 3000
 ENV NODE_ENV=production
 ENV BODY_SIZE_LIMIT=20000000
+
+RUN addgroup -g 1001 -S app && adduser -u 1001 -S -G app app
+USER app
+
 CMD [ "node", "server" ]