Run as a non-root user

candrews · web-flow · commit 653d2fc405d6 · 2025-01-16T17:09:53.000-05:00
Running as a non-root user is a security best practice. Some environments require containers run as non-root users. For the `USER` directive, a numeric uid is specified instead of the username because systems configured to disallow running images as root aren't able to run images that use user name string values for the `USER` because they can't validate that a named user isn't root. See kubernetes/kubernetes#56503 for details.
diff --git a/Dockerfile b/Dockerfile
@@ -7,7 +7,11 @@ COPY LICENSE \
         requirements.txt \
         /code/
 
-RUN pip install -r /code/requirements.txt
+RUN pip install -r /code/requirements.txt \
+    && addgroup -g 1000 codespell \
+    && adduser -u 1000 -G codespell -s /bin/sh -D codespell
+
+USER 1000
 
 ENTRYPOINT ["/code/entrypoint.sh"]
 CMD []
