From 31030666c131fd15e009fbbdbedcb03adfdccb03 Mon Sep 17 00:00:00 2001
From: Nick Marden <nmarden@avvo.com>
Date: Mon, 19 Jan 2026 18:48:20 +0800
Subject: [PATCH] Fix Docker security hotspots: non-root user, specific COPY

- Add .dockerignore to exclude sensitive files from build context
- Replace recursive COPY with specific directory copies
- Create non-root gatekeeper user (uid/gid 1000)
- Use setcap to allow privileged port binding without root
- Switch to non-root user for runtime execution
---
 .dockerignore    | 45 +++++++++++++++++++++++++++++++++++++++++++++
 Dockerfile       | 17 +++++++++++++----
 Dockerfile.relay | 12 +++++++++---
 3 files changed, 67 insertions(+), 7 deletions(-)
 create mode 100644 .dockerignore

diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..db3f2e8
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,45 @@
+# Git
+.git
+.gitignore
+
+# IDE
+.idea
+.vscode
+*.swp
+*.swo
+
+# Build artifacts
+bin/
+dist/
+*.exe
+
+# Test and coverage
+coverage.out
+*.test
+
+# Documentation (not needed in image)
+docs/
+*.md
+!README.md
+
+# CI/CD
+.github/
+.gitlab-ci.yml
+
+# Development files
+.env
+.env.*
+*.local
+docker-compose*.yml
+
+# Kubernetes manifests (not needed in image)
+k8s/
+charts/
+
+# SonarCloud
+.scannerwork/
+sonar-project.properties
+
+# Misc
+.DS_Store
+Thumbs.db
diff --git a/Dockerfile b/Dockerfile
index 95410e9..297e61d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -8,7 +8,8 @@ COPY go.mod go.sum ./
 RUN go mod download
 
 # Copy source code
-COPY . .
+COPY cmd/ cmd/
+COPY internal/ internal/
 
 # Build binary
 RUN CGO_ENABLED=0 GOOS=linux go build -o gatekeeperd ./cmd/gatekeeperd
@@ -16,15 +17,23 @@ RUN CGO_ENABLED=0 GOOS=linux go build -o gatekeeperd ./cmd/gatekeeperd
 # Runtime stage
 FROM alpine:3.19
 
-RUN apk --no-cache add ca-certificates
+RUN apk --no-cache add ca-certificates libcap
 
 WORKDIR /app
 
 # Copy binary from builder
 COPY --from=builder /app/gatekeeperd .
 
-# Create config directory
-RUN mkdir -p /etc/gatekeeper
+# Allow binding to privileged ports (80, 443) without root
+RUN setcap cap_net_bind_service=+ep ./gatekeeperd
+
+# Create non-root user
+RUN addgroup -g 1000 gatekeeper && \
+    adduser -u 1000 -G gatekeeper -s /bin/sh -D gatekeeper && \
+    mkdir -p /etc/gatekeeper /var/cache/gatekeeper && \
+    chown -R gatekeeper:gatekeeper /app /etc/gatekeeper /var/cache/gatekeeper
+
+USER gatekeeper
 
 # Expose ports
 EXPOSE 80 443 8080 9090
diff --git a/Dockerfile.relay b/Dockerfile.relay
index 38053d1..5a717ec 100644
--- a/Dockerfile.relay
+++ b/Dockerfile.relay
@@ -8,7 +8,8 @@ COPY go.mod go.sum ./
 RUN go mod download
 
 # Copy source code
-COPY . .
+COPY cmd/ cmd/
+COPY internal/ internal/
 
 # Build binary
 RUN CGO_ENABLED=0 GOOS=linux go build -o gatekeeper-relay ./cmd/gatekeeper-relay
@@ -23,8 +24,13 @@ WORKDIR /app
 # Copy binary from builder
 COPY --from=builder /app/gatekeeper-relay .
 
-# Create config directory
-RUN mkdir -p /etc/gatekeeper
+# Create non-root user
+RUN addgroup -g 1000 gatekeeper && \
+    adduser -u 1000 -G gatekeeper -s /bin/sh -D gatekeeper && \
+    mkdir -p /etc/gatekeeper && \
+    chown -R gatekeeper:gatekeeper /app /etc/gatekeeper
+
+USER gatekeeper
 
 # Run the relay client
 ENTRYPOINT ["./gatekeeper-relay"]