Skip to content

Comments

Add Java run Dockerfile#398

Merged
davideme merged 3 commits intomainfrom
codex/create-root-run-dockerfile
Feb 20, 2026
Merged

Add Java run Dockerfile#398
davideme merged 3 commits intomainfrom
codex/create-root-run-dockerfile

Conversation

@davideme
Copy link
Owner

Summary

  • add a Docker run image configuration for the Java service that runs as root

Testing

  • Not run (not requested)

Copilot AI review requested due to automatic review settings February 20, 2026 13:01
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a minimal “run” Docker image definition for the Java service, apparently intended to be used as a runtime/base image configuration.

Changes:

  • Introduces src/java/run.Dockerfile based on gcr.io/buildpacks/gcp/run
  • Configures the container user to run as root

@@ -0,0 +1,2 @@
FROM gcr.io/buildpacks/gcp/run
USER root
Copy link

Copilot AI Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This Dockerfile explicitly sets USER root, meaning the Java service will run with full root privileges inside the container, which significantly increases the impact of any compromise (e.g., an RCE in the app can access and modify mounted volumes, host namespaces, or Kubernetes secrets as root). Running as root in containers is a dangerous default because it turns container escape or misconfiguration issues into full host compromise. Configure the image to run as a non-root user (with a fixed UID/GID) and ensure file permissions and orchestrator settings (securityContext.runAsNonRoot, etc.) are compatible with that user instead of root.

Suggested change
USER root
# Create a non-root user with a fixed UID/GID for running the application
RUN addgroup --system appgroup && adduser --system --ingroup appgroup --uid 10001 appuser
# Run the application as the non-root user
USER 10001

Copilot uses AI. Check for mistakes.
@@ -0,0 +1,2 @@
FROM gcr.io/buildpacks/gcp/run
Copy link

Copilot AI Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The base image gcr.io/buildpacks/gcp/run is referenced without a tag or digest, so it will pull a mutable latest image whose contents can change over time, which is a supply-chain risk if that upstream image is ever compromised or replaced. Because this image is used at runtime, a malicious update to the remote image would immediately affect new deployments and could run arbitrary code with access to your app’s data and secrets. Pin this base image to a specific immutable version or digest and update it intentionally as part of your release process.

Copilot uses AI. Check for mistakes.
@davideme davideme merged commit 25822fb into main Feb 20, 2026
4 checks passed
@davideme davideme deleted the codex/create-root-run-dockerfile branch February 20, 2026 13:14
@davideme davideme restored the codex/create-root-run-dockerfile branch February 20, 2026 13:36
@davideme davideme deleted the codex/create-root-run-dockerfile branch February 20, 2026 13:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant