Fix Docker security hotspots: non-root user, specific COPY

.dockerignore

@@ -0,0 +1,45 @@
+# Git
+.git
+.gitignore
+
+# IDE
+.idea
+.vscode
+*.swp
+*.swo
+
+# Build artifacts
+bin/
+dist/
+*.exe
+
+# Test and coverage
+coverage.out
+*.test
+
+# Documentation (not needed in image)
+docs/
+*.md
+!README.md
+
+# CI/CD
+.github/
+.gitlab-ci.yml
+
+# Development files
+.env
+.env.*
+*.local
+docker-compose*.yml
+
+# Kubernetes manifests (not needed in image)
+k8s/
+charts/
+
+# SonarCloud
+.scannerwork/
+sonar-project.properties
+
+# Misc
+.DS_Store
+Thumbs.db

Dockerfile

@@ -8,23 +8,32 @@ COPY go.mod go.sum ./
 RUN go mod download
 
 # Copy source code
-COPY . .
+COPY cmd/ cmd/
+COPY internal/ internal/
 
 # Build binary
 RUN CGO_ENABLED=0 GOOS=linux go build -o gatekeeperd ./cmd/gatekeeperd
 
 # Runtime stage
 FROM alpine:3.19
 
-RUN apk --no-cache add ca-certificates
+RUN apk --no-cache add ca-certificates libcap
 
 WORKDIR /app
 
 # Copy binary from builder
 COPY --from=builder /app/gatekeeperd .
 
-# Create config directory
-RUN mkdir -p /etc/gatekeeper
+# Allow binding to privileged ports (80, 443) without root
+RUN setcap cap_net_bind_service=+ep ./gatekeeperd
+
+# Create non-root user
+RUN addgroup -g 1000 gatekeeper && \
+    adduser -u 1000 -G gatekeeper -s /bin/sh -D gatekeeper && \
+    mkdir -p /etc/gatekeeper /var/cache/gatekeeper && \
+    chown -R gatekeeper:gatekeeper /app /etc/gatekeeper /var/cache/gatekeeper
+
+USER gatekeeper
 
 # Expose ports
 EXPOSE 80 443 8080 9090

Dockerfile.relay

@@ -8,7 +8,8 @@ COPY go.mod go.sum ./
 RUN go mod download
 
 # Copy source code
-COPY . .
+COPY cmd/ cmd/
+COPY internal/ internal/
 
 # Build binary
 RUN CGO_ENABLED=0 GOOS=linux go build -o gatekeeper-relay ./cmd/gatekeeper-relay
@@ -23,8 +24,13 @@ WORKDIR /app
 # Copy binary from builder
 COPY --from=builder /app/gatekeeper-relay .
 
-# Create config directory
-RUN mkdir -p /etc/gatekeeper
+# Create non-root user
+RUN addgroup -g 1000 gatekeeper && \
+    adduser -u 1000 -G gatekeeper -s /bin/sh -D gatekeeper && \
+    mkdir -p /etc/gatekeeper && \
+    chown -R gatekeeper:gatekeeper /app /etc/gatekeeper
+
+USER gatekeeper
 
 # Run the relay client
 ENTRYPOINT ["./gatekeeper-relay"]