Skip to content

Hardening: Switch to non-root user in Docker #5434

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
RinZ27 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Hardening: Switch to non-root user in Docker #5434

RinZ27 wants to merge 2 commits into from

Conversation

@RinZ27
Copy link

@RinZ27 RinZ27 commented Jan 5, 2026

Dropped root privileges in the production Docker image. Running the app process as a dedicated memos user instead of root to minimize the potential impact if the process is compromised. Standard hardening practice.

Also updated the directory creation and ownership to ensure the memos user has proper access to its data volumes.

@RinZ27 RinZ27 requested a review from johnnyjoygh as a code owner January 5, 2026 14:43
@johnnyjoygh johnnyjoygh requested a review from Copilot January 5, 2026 14:46
Copilot AI reviewed Jan 5, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR implements Docker security hardening by dropping root privileges in the production container image. The application now runs as a dedicated non-root memos user, following container security best practices to minimize the attack surface if the process is compromised.

Key Changes:

  • Created a dedicated memos system user and group in the Alpine-based Docker image
  • Set proper ownership of application and data directories for the memos user
  • Switched the container runtime context to the non-root user

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@RinZ27
Copy link
Author

RinZ27 commented Jan 5, 2026

Good catch. Updated the Dockerfile to use explicit UID/GID 10001 for better predictability with volume mounts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@johnnyjoygh johnnyjoygh Awaiting requested review from johnnyjoygh johnnyjoygh is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@RinZ27