Dockerfile Configuration

[Andy65]

DAB provides its own runtime container mcr.microsoft.com/azure-databases/data-api-builder.

Checkmarx One has a rule requiring that all runtime stages must have a USER instruction to ensure that a non-root user is used. I have not been able to find any documentation suggesting that there is an existing non-root user that I can specify or if I need to add my own user what are the minimum required permissions. Is it a requirement that DAB executes as root or can it work with a user with lesser permissions and if so, what are those lesser permissions?

[aaronburtle]

I have not been able to find any documentation suggesting that there is an existing non-root user that I can specify or if I need to add my own user what are the minimum required permissions. Is it a requirement that DAB executes as root or can it work with a user with lesser permissions and if so, what are those lesser permissions?

Hi @Andy65 thanks for the questions.

The base image that we use ships with a built-in non-root user app with UID/GID64198. DAB does not require root, it is just an asp.net core process. The published image runs as root today because we never issue a USER instruction, not because DAB needs elevated privileges. Using the user app should be fine.

But I don't think selecting a user as deploy time will make your scanner happy. Scanners generally read the image's Config.User field, which is only set by a USER instruction in the Dockerfile. I will follow up on adding a user explicitly to the image we publish and update here.