Skip to content

Add Java run Dockerfile #398

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
davideme merged 3 commits into from
Feb 20, 2026
Merged

Add Java run Dockerfile #398

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
353ebf1
Add root run Dockerfile
davideme Feb 20, 2026
2f95294
chore(java): add original cloudbuild config
davideme Feb 20, 2026
211615b
build(java): use custom run image for pack build
davideme Feb 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 63 additions & 0 deletions src/java/cloudbuild.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
steps:
- name: gcr.io/cloud-builders/docker
args:
- build
- -f
- src/java/run.Dockerfile
- -t
- $_AR_HOSTNAME/$_AR_PROJECT_ID/$_AR_REPOSITORY/$REPO_NAME/java-run:latest
- src/java
id: BuildRunImage
- name: gcr.io/cloud-builders/docker
args:
- push
- $_AR_HOSTNAME/$_AR_PROJECT_ID/$_AR_REPOSITORY/$REPO_NAME/java-run:latest
id: PushRunImage
- name: gcr.io/k8s-skaffold/pack
args:
- build
- >-
$_AR_HOSTNAME/$_AR_PROJECT_ID/$_AR_REPOSITORY/$REPO_NAME/$_SERVICE_NAME:$COMMIT_SHA
- '--builder=gcr.io/buildpacks/builder:latest'
- '--run-image=$_AR_HOSTNAME/$_AR_PROJECT_ID/$_AR_REPOSITORY/$REPO_NAME/java-run:latest'
- '--network=cloudbuild'
- '--path=src/java'
id: Buildpack
entrypoint: pack
- name: gcr.io/cloud-builders/docker
args:
- push
- '--all-tags'
- $_AR_HOSTNAME/$_AR_PROJECT_ID/$_AR_REPOSITORY/$REPO_NAME/$_SERVICE_NAME
id: Push
- name: gcr.io/google.com/cloudsdktool/cloud-sdk:slim
args:
- run
- services
- update
- $_SERVICE_NAME
- >-
--image=$_AR_HOSTNAME/$_AR_PROJECT_ID/$_AR_REPOSITORY/$REPO_NAME/$_SERVICE_NAME:$COMMIT_SHA
- >-
--update-labels=managed-by=gcp-cloud-build-deploy-cloud-run,gcb-trigger-id=$_TRIGGER_ID,gcb-trigger-region=$LOCATION,commit-sha=$COMMIT_SHA,gcb-build-id=$BUILD_ID
- '--region=$_DEPLOY_REGION'
- '--quiet'
id: Deploy
entrypoint: gcloud
images:
- >-
$_AR_HOSTNAME/$_AR_PROJECT_ID/$_AR_REPOSITORY/$REPO_NAME/$_SERVICE_NAME:$COMMIT_SHA
options:
requestedVerifyOption: VERIFIED
substitutionOption: ALLOW_LOOSE
logging: CLOUD_LOGGING_ONLY
substitutions:
_AR_REPOSITORY: cloud-run-source-deploy
_AR_PROJECT_ID: lamp-control-469416
_SERVICE_NAME: java-lamp-control-api
_DEPLOY_REGION: europe-west1
_TRIGGER_ID: 8f4a8369-1721-4aab-8be3-0312e689519e
_AR_HOSTNAME: europe-west1-docker.pkg.dev
tags:
- gcp-cloud-build-deploy-cloud-run
- java-lamp-control-api
2 changes: 2 additions & 0 deletions src/java/run.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
FROM gcr.io/buildpacks/gcp/run
Copy link

Copilot AI Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The base image gcr.io/buildpacks/gcp/run is referenced without a tag or digest, so it will pull a mutable latest image whose contents can change over time, which is a supply-chain risk if that upstream image is ever compromised or replaced. Because this image is used at runtime, a malicious update to the remote image would immediately affect new deployments and could run arbitrary code with access to your app’s data and secrets. Pin this base image to a specific immutable version or digest and update it intentionally as part of your release process.

Copilot uses AI. Check for mistakes.
USER root
Copy link

Copilot AI Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This Dockerfile explicitly sets USER root, meaning the Java service will run with full root privileges inside the container, which significantly increases the impact of any compromise (e.g., an RCE in the app can access and modify mounted volumes, host namespaces, or Kubernetes secrets as root). Running as root in containers is a dangerous default because it turns container escape or misconfiguration issues into full host compromise. Configure the image to run as a non-root user (with a fixed UID/GID) and ensure file permissions and orchestrator settings (securityContext.runAsNonRoot, etc.) are compatible with that user instead of root.

Suggested change
USER root
# Create a non-root user with a fixed UID/GID for running the application
RUN addgroup --system appgroup && adduser --system --ingroup appgroup --uid 10001 appuser
# Run the application as the non-root user
USER 10001

Copilot uses AI. Check for mistakes.