Add Java run Dockerfile

[davideme]

Summary

• add a Docker run image configuration for the Java service that runs as root

Testing

• Not run (not requested)

[Copilot]

Pull request overview

Adds a minimal “run” Docker image definition for the Java service, apparently intended to be used as a runtime/base image configuration.

Changes:

• Introduces src/java/run.Dockerfile based on gcr.io/buildpacks/gcp/run
• Configures the container user to run as root

[Copilot]

This Dockerfile explicitly sets USER root, meaning the Java service will run with full root privileges inside the container, which significantly increases the impact of any compromise (e.g., an RCE in the app can access and modify mounted volumes, host namespaces, or Kubernetes secrets as root). Running as root in containers is a dangerous default because it turns container escape or misconfiguration issues into full host compromise. Configure the image to run as a non-root user (with a fixed UID/GID) and ensure file permissions and orchestrator settings (securityContext.runAsNonRoot, etc.) are compatible with that user instead of root.

Suggested change

	USER root
	# Create a non-root user with a fixed UID/GID for running the application
	RUN addgroup --system appgroup && adduser --system --ingroup appgroup --uid 10001 appuser
	# Run the application as the non-root user
	USER 10001

[Copilot]

The base image gcr.io/buildpacks/gcp/run is referenced without a tag or digest, so it will pull a mutable latest image whose contents can change over time, which is a supply-chain risk if that upstream image is ever compromised or replaced. Because this image is used at runtime, a malicious update to the remote image would immediately affect new deployments and could run arbitrary code with access to your app’s data and secrets. Pin this base image to a specific immutable version or digest and update it intentionally as part of your release process.