From 8a08fbd37144be7abf048b288eb3834d6504fabf Mon Sep 17 00:00:00 2001 From: Daniel Vystrcil <31454345+da6d6i7-bronga@users.noreply.github.com> Date: Wed, 9 Jun 2021 16:59:30 -0700 Subject: [PATCH 1/2] Update Dockerfile Alpine 3.15.5 has fixes for CVE-2021-30139, CVE-2021-28831, CVE-2021-23840, and CVE-2021-3450 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index f4b0622edda..6ef42cc03c3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,7 +12,7 @@ RUN CGO_ENABLED=0 make local build # Choose alpine as a base image to make this useful for CI, as many # CI tools expect an interactive shell inside the container -FROM alpine:3.12.3 as production +FROM alpine:3.13.5 as production COPY --from=builder /go/src/mikefarah/yq/yq /usr/bin/yq RUN chmod +x /usr/bin/yq From f9e90cd4b28fb5488577b2307360b71f6f48d44d Mon Sep 17 00:00:00 2001 From: Daniel Vystrcil <31454345+da6d6i7-bronga@users.noreply.github.com> Date: Tue, 15 Jun 2021 20:40:39 -0700 Subject: [PATCH 2/2] Update Dockerfile Adding group:user to fix (CIS_Docker_v1.2.0 - 4.1) Image should be created with a non-root user --- Dockerfile | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Dockerfile b/Dockerfile index 6ef42cc03c3..2c546ed3127 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,12 +14,19 @@ RUN CGO_ENABLED=0 make local build # CI tools expect an interactive shell inside the container FROM alpine:3.13.5 as production +RUN mkdir /home/yq/ +RUN addgroup -g 1000 yq && \ + adduser -u 1000 -G yq -s /bin/bash -h /home/yq -D yq +RUN chown -R yq:yq /home/yq/ + COPY --from=builder /go/src/mikefarah/yq/yq /usr/bin/yq RUN chmod +x /usr/bin/yq ARG VERSION=none LABEL version=${VERSION} +USER yq + WORKDIR /workdir ENTRYPOINT ["/usr/bin/yq"]