Location: build/package/Dockerfile (missing USER instruction)
Description:
The Dockerfile at build/package/Dockerfile does not specify a USER instruction, causing the container to run as root (UID 0) by default. This constitutes a critical security issue as it violates the principle of least privilege.
Risk:
-
If any vulnerability (e.g., RCE) in the application is successfully exploited, the attacker gains full root privileges inside the container, significantly simplifying further attacks on the host system. The root user has complete access to all processes, files, and network stacks within the container, providing the attacker with greater latitude for lateral movement.
-
Non‑compliance with CIS Docker Benchmark (4.1), OWASP Docker Security, and Kubernetes Pod Security Standards (Restricted profile).
Recommendations:
- In the Dockerfile: Create a non‑privileged user and switch to it using the
USER instruction. The user must have read/write permissions on the required directories (/seq-db-data, /var/log/seq-db).
- In Kubernetes: Configure
securityContext in deployment/k8s/helm-chart/templates/seq-proxy/deployment.yaml:
securityContext:
runAsNonRoot: true
runAsUser: 1001
Additionally, at the container level, add allowPrivilegeEscalation: false.
Location:
build/package/Dockerfile(missingUSERinstruction)Description:
The Dockerfile at
build/package/Dockerfiledoes not specify aUSERinstruction, causing the container to run asroot(UID 0) by default. This constitutes a critical security issue as it violates the principle of least privilege.Risk:
If any vulnerability (e.g., RCE) in the application is successfully exploited, the attacker gains full root privileges inside the container, significantly simplifying further attacks on the host system. The root user has complete access to all processes, files, and network stacks within the container, providing the attacker with greater latitude for lateral movement.
Non‑compliance with CIS Docker Benchmark (4.1), OWASP Docker Security, and Kubernetes Pod Security Standards (Restricted profile).
Recommendations:
USERinstruction. The user must have read/write permissions on the required directories (/seq-db-data,/var/log/seq-db).securityContextindeployment/k8s/helm-chart/templates/seq-proxy/deployment.yaml:Additionally, at the container level, add
allowPrivilegeEscalation: false.