I have a frontend app that deploys in the Docker container nginxinc/nginx-unprivileged:alpine-slim. The pipeline is currently failing the stage that checks for security vulnerabilities via AquaScan.
The Dockerfile:
FROM nginxinc/nginx-unprivileged:alpine-slim
USER root
RUN apk update && apk upgrade --no-cache
WORKDIR /usr/share/nginx/html
COPY --chown=nginx ./docker/nginx/nginx.conf /etc/nginx/conf.d/default.conf
USER nginx
COPY build .
RUN apk update && apk upgrade --no-cache does not pass the scan.If I could update a different container to be unprivileged, then I could both pass AquaScan and deploy my app.
How do I update my Docker container so that it's unprivileged?
I updated the Dockerfile like so:
# nginxinc/nginx-unprivileged:alpine-slim has container vulnerabilities that do not pass AquaScan, even after updating. 3/21/2023.
FROM nginx:alpine-slim
# implement changes required to run NGINX as an unprivileged user
RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/conf.d/default.conf \
&& sed -i '/user nginx;/d' /etc/nginx/nginx.conf \
&& sed -i 's,/var/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf \
&& sed -i "/^http {/a \ proxy_temp_path /tmp/proxy_temp;\n client_body_temp_path /tmp/client_temp;\n fastcgi_temp_path /tmp/fastcgi_temp;\n uwsgi_temp_path /tmp/uwsgi_temp;\n scgi_temp_path /tmp/scgi_temp;\n" /etc/nginx/nginx.conf \
# nginx user must own the cache and etc directory to write cache and tweak the nginx config && chown -R $UID:0 /var/cache/nginx \
&& chmod -R g+w /var/cache/nginx \
&& chown -R $UID:0 /etc/nginx \
&& chmod -R g+w /etc/nginx
COPY --chown=nginx:nginx ./docker/nginx/nginx.conf /etc/nginx/conf.d/default.conf
WORKDIR /usr/share/nginx/html
USER nginx
EXPOSE 8080
COPY build .
Now my frontend app deploys in a container and passes AquaScan.