From fad337017524a5c62d914fb38092a6285d18effa Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Tue, 13 May 2025 17:02:45 +0200 Subject: [PATCH] Ensure that code in containers isn't writable by the container users Fixes Sonar docker:S6504 warning Signed-off-by: Jannik Hollenbach --- .templates/new-scanner/parser/Dockerfile | 2 +- .../docs/contributing/integrating-a-hook/dockerfile.md | 4 ++-- .../docs/contributing/integrating-a-scanner/parser-dir.md | 6 +++--- hook-sdk/nodejs/Dockerfile | 4 ++-- hooks/cascading-scans/hook/Dockerfile | 4 ++-- hooks/finding-post-processing/hook/Dockerfile | 4 ++-- hooks/generic-webhook/hook/Dockerfile | 4 ++-- hooks/notification/hook/Dockerfile | 4 ++-- hooks/persistence-azure-monitor/hook/Dockerfile | 4 ++-- hooks/persistence-dependencytrack/hook/Dockerfile | 2 +- hooks/persistence-elastic/hook/Dockerfile | 4 ++-- hooks/update-field-hook/hook/Dockerfile | 4 ++-- parser-sdk/nodejs/Dockerfile | 8 ++++---- scanners/amass/parser/Dockerfile | 4 ++-- scanners/cmseek/parser/Dockerfile | 2 +- scanners/ffuf/parser/Dockerfile | 2 +- scanners/git-repo-scanner/parser/Dockerfile | 2 +- scanners/gitleaks/parser/Dockerfile | 3 +-- scanners/kube-hunter/parser/Dockerfile | 2 +- scanners/ncrack/parser/Dockerfile | 4 ++-- scanners/nikto/parser/Dockerfile | 2 +- scanners/nmap/parser/Dockerfile | 4 ++-- scanners/nuclei/parser/Dockerfile | 2 +- scanners/screenshooter/parser/Dockerfile | 2 +- scanners/semgrep/parser/Dockerfile | 2 +- scanners/ssh-audit/parser/Dockerfile | 2 +- scanners/sslyze/parser/Dockerfile | 4 ++-- scanners/test-scan/parser/Dockerfile | 2 +- scanners/trivy-sbom/parser/Dockerfile | 2 +- scanners/trivy/parser/Dockerfile | 2 +- scanners/whatweb/parser/Dockerfile | 2 +- scanners/wpscan/parser/Dockerfile | 2 +- scanners/zap-automation-framework/parser/Dockerfile | 4 ++-- scanners/zap/parser/Dockerfile | 4 ++-- 34 files changed, 54 insertions(+), 55 deletions(-) diff --git a/.templates/new-scanner/parser/Dockerfile b/.templates/new-scanner/parser/Dockerfile index a881094246..8eb8fed45d 100644 --- a/.templates/new-scanner/parser/Dockerfile +++ b/.templates/new-scanner/parser/Dockerfile @@ -7,4 +7,4 @@ ARG namespace ARG baseImageTag FROM ${namespace:-securecodebox}/parser-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/parser-wrapper/parser/ -COPY --chown=app:app ./parser.js ./parser.js +COPY --chown=root:root --chmod=755 ./parser.js ./parser.js diff --git a/documentation/docs/contributing/integrating-a-hook/dockerfile.md b/documentation/docs/contributing/integrating-a-hook/dockerfile.md index 2f2f2f1dcb..e8b975fdd6 100644 --- a/documentation/docs/contributing/integrating-a-hook/dockerfile.md +++ b/documentation/docs/contributing/integrating-a-hook/dockerfile.md @@ -20,8 +20,8 @@ RUN npm ci --production FROM securecodebox/hook-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/hook-wrapper/hook/ -COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ -COPY --chown=app:app ./hook.js ./hook.js +COPY --from=build --chown=root:root --chmod=755 /home/app/node_modules/ ./node_modules/ +COPY --chown=root:root --chmod=755 ./hook.js ./hook.js ``` See [Local Deployment](/docs/contributing/local-deployment) for instructions on how to build and deploy your hook. diff --git a/documentation/docs/contributing/integrating-a-scanner/parser-dir.md b/documentation/docs/contributing/integrating-a-scanner/parser-dir.md index fe8ec7200f..58dfcac0c0 100644 --- a/documentation/docs/contributing/integrating-a-scanner/parser-dir.md +++ b/documentation/docs/contributing/integrating-a-scanner/parser-dir.md @@ -24,8 +24,8 @@ RUN npm ci --production FROM securecodebox/parser-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/parser-wrapper/parser/ -COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ -COPY --chown=app:app ./parser.js ./parser.js +COPY --from=build --chown=root:root --chmod=755 /home/app/node_modules/ ./node_modules/ +COPY --chown=root:root --chmod=755 ./parser.js ./parser.js ``` If your parser does not require any external dependencies, A multi-stage build is not needed. @@ -36,7 +36,7 @@ ARG namespace ARG baseImageTag FROM securecodebox/parser-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/parser-wrapper/parser/ -COPY --chown=app:app ./parser.js ./parser.js +COPY --chown=root:root --chmod=755 ./parser.js ./parser.js ``` See [Local Deployment](/docs/contributing/local-deployment) for instructions on how to build your parser. diff --git a/hook-sdk/nodejs/Dockerfile b/hook-sdk/nodejs/Dockerfile index 97c5668ad5..2c74a94775 100644 --- a/hook-sdk/nodejs/Dockerfile +++ b/hook-sdk/nodejs/Dockerfile @@ -11,8 +11,8 @@ FROM node:22-alpine ARG NODE_ENV RUN addgroup --system --gid 1001 app && adduser app --system --uid 1001 --ingroup app WORKDIR /home/app/hook-wrapper/ -COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ -COPY --chown=app:app ./hook-wrapper.js ./hook-wrapper.js +COPY --from=build --chown=root:root --chmod=755 /home/app/node_modules/ ./node_modules/ +COPY --chown=root:root --chmod=755 ./hook-wrapper.js ./hook-wrapper.js USER 1001 ENV NODE_ENV=${NODE_ENV:-production} ENTRYPOINT ["node", "/home/app/hook-wrapper/hook-wrapper.js"] diff --git a/hooks/cascading-scans/hook/Dockerfile b/hooks/cascading-scans/hook/Dockerfile index 146bfbe675..1d0c1776e2 100644 --- a/hooks/cascading-scans/hook/Dockerfile +++ b/hooks/cascading-scans/hook/Dockerfile @@ -20,5 +20,5 @@ RUN npm run build FROM ${namespace:-securecodebox}/hook-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/hook-wrapper/hook/ -COPY --from=install --chown=app:app /home/app/node_modules/ ./node_modules/ -COPY --from=build --chown=app:app /home/app/hook.js /home/app/hook.js.map /home/app/scan-helpers.js /home/app/scan-helpers.js.map /home/app/scope-limiter.js /home/app/scope-limiter.js.map /home/app/kubernetes-label-selector.js /home/app/kubernetes-label-selector.js.map ./ +COPY --from=install --chown=root:root --chmod=755 /home/app/node_modules/ ./node_modules/ +COPY --from=build --chown=root:root --chmod=755 /home/app/hook.js /home/app/hook.js.map /home/app/scan-helpers.js /home/app/scan-helpers.js.map /home/app/scope-limiter.js /home/app/scope-limiter.js.map /home/app/kubernetes-label-selector.js /home/app/kubernetes-label-selector.js.map ./ diff --git a/hooks/finding-post-processing/hook/Dockerfile b/hooks/finding-post-processing/hook/Dockerfile index 7e0527c122..2f59d82b14 100644 --- a/hooks/finding-post-processing/hook/Dockerfile +++ b/hooks/finding-post-processing/hook/Dockerfile @@ -12,5 +12,5 @@ RUN npm ci --production FROM ${namespace:-securecodebox}/hook-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/hook-wrapper/hook/ -COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ -COPY --chown=app:app ./hook.js ./hook.js +COPY --from=build --chown=root:root --chmod=755 /home/app/node_modules/ ./node_modules/ +COPY --chown=root:root --chmod=755 ./hook.js ./hook.js diff --git a/hooks/generic-webhook/hook/Dockerfile b/hooks/generic-webhook/hook/Dockerfile index 7e0527c122..2f59d82b14 100644 --- a/hooks/generic-webhook/hook/Dockerfile +++ b/hooks/generic-webhook/hook/Dockerfile @@ -12,5 +12,5 @@ RUN npm ci --production FROM ${namespace:-securecodebox}/hook-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/hook-wrapper/hook/ -COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ -COPY --chown=app:app ./hook.js ./hook.js +COPY --from=build --chown=root:root --chmod=755 /home/app/node_modules/ ./node_modules/ +COPY --chown=root:root --chmod=755 ./hook.js ./hook.js diff --git a/hooks/notification/hook/Dockerfile b/hooks/notification/hook/Dockerfile index e238e97ef5..f463dc22d1 100644 --- a/hooks/notification/hook/Dockerfile +++ b/hooks/notification/hook/Dockerfile @@ -20,5 +20,5 @@ RUN npm run build && rm -rf node_modules FROM ${namespace:-securecodebox}/hook-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/hook-wrapper/hook/ -COPY --from=install --chown=app:app /home/app/node_modules/ ./node_modules/ -COPY --from=build --chown=app:app /home/app/ ./ +COPY --from=install --chown=root:root --chmod=755 /home/app/node_modules/ ./node_modules/ +COPY --from=build --chown=root:root --chmod=755 /home/app/ ./ diff --git a/hooks/persistence-azure-monitor/hook/Dockerfile b/hooks/persistence-azure-monitor/hook/Dockerfile index 86d17d8b79..f1bd50720f 100644 --- a/hooks/persistence-azure-monitor/hook/Dockerfile +++ b/hooks/persistence-azure-monitor/hook/Dockerfile @@ -12,5 +12,5 @@ RUN npm ci --production FROM ${namespace:-securecodebox}/hook-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/hook-wrapper/hook/ -COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ -COPY --chown=app:app ./hook.js ./hook.js \ No newline at end of file +COPY --from=build --chown=root:root --chmod=755 /home/app/node_modules/ ./node_modules/ +COPY --chown=root:root --chmod=755 ./hook.js ./hook.js \ No newline at end of file diff --git a/hooks/persistence-dependencytrack/hook/Dockerfile b/hooks/persistence-dependencytrack/hook/Dockerfile index 72b825bee3..2f5ccf1f52 100644 --- a/hooks/persistence-dependencytrack/hook/Dockerfile +++ b/hooks/persistence-dependencytrack/hook/Dockerfile @@ -12,4 +12,4 @@ RUN npm ci --production FROM ${namespace:-securecodebox}/hook-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/hook-wrapper/hook/ -COPY --chown=app:app ./hook.js ./hook.js +COPY --chown=root:root --chmod=755 ./hook.js ./hook.js diff --git a/hooks/persistence-elastic/hook/Dockerfile b/hooks/persistence-elastic/hook/Dockerfile index 7e0527c122..2f59d82b14 100644 --- a/hooks/persistence-elastic/hook/Dockerfile +++ b/hooks/persistence-elastic/hook/Dockerfile @@ -12,5 +12,5 @@ RUN npm ci --production FROM ${namespace:-securecodebox}/hook-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/hook-wrapper/hook/ -COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ -COPY --chown=app:app ./hook.js ./hook.js +COPY --from=build --chown=root:root --chmod=755 /home/app/node_modules/ ./node_modules/ +COPY --chown=root:root --chmod=755 ./hook.js ./hook.js diff --git a/hooks/update-field-hook/hook/Dockerfile b/hooks/update-field-hook/hook/Dockerfile index 7e0527c122..2f59d82b14 100644 --- a/hooks/update-field-hook/hook/Dockerfile +++ b/hooks/update-field-hook/hook/Dockerfile @@ -12,5 +12,5 @@ RUN npm ci --production FROM ${namespace:-securecodebox}/hook-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/hook-wrapper/hook/ -COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ -COPY --chown=app:app ./hook.js ./hook.js +COPY --from=build --chown=root:root --chmod=755 /home/app/node_modules/ ./node_modules/ +COPY --chown=root:root --chmod=755 ./hook.js ./hook.js diff --git a/parser-sdk/nodejs/Dockerfile b/parser-sdk/nodejs/Dockerfile index 54c3c9bce9..4dab56012c 100644 --- a/parser-sdk/nodejs/Dockerfile +++ b/parser-sdk/nodejs/Dockerfile @@ -11,10 +11,10 @@ FROM node:22-alpine ARG NODE_ENV RUN addgroup --system --gid 1001 app && adduser app --system --uid 1001 --ingroup app WORKDIR /home/app/parser-wrapper/ -COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ -COPY --chown=app:app ./parser-wrapper.js ./parser-wrapper.js -COPY --chown=app:app ./parser-utils.js ./parser-utils.js -COPY --chown=app:app ./findings-schema.json ./findings-schema.json +COPY --from=build --chown=root:root --chmod=755 /home/app/node_modules/ ./node_modules/ +COPY --chown=root:root --chmod=755 ./parser-wrapper.js ./parser-wrapper.js +COPY --chown=root:root --chmod=755 ./parser-utils.js ./parser-utils.js +COPY --chown=root:root --chmod=755 ./findings-schema.json ./findings-schema.json USER 1001 ENV NODE_ENV=${NODE_ENV:-production} ENTRYPOINT ["node", "/home/app/parser-wrapper/parser-wrapper.js"] diff --git a/scanners/amass/parser/Dockerfile b/scanners/amass/parser/Dockerfile index 2a9a95cd0e..6aff6d3bd7 100644 --- a/scanners/amass/parser/Dockerfile +++ b/scanners/amass/parser/Dockerfile @@ -12,5 +12,5 @@ RUN npm ci --production FROM ${namespace:-securecodebox}/parser-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/parser-wrapper/parser/ -COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ -COPY --chown=app:app ./parser.js ./parser.js +COPY --from=build --chown=root:root --chmod=755 /home/app/node_modules/ ./node_modules/ +COPY --chown=root:root --chmod=755 ./parser.js ./parser.js diff --git a/scanners/cmseek/parser/Dockerfile b/scanners/cmseek/parser/Dockerfile index bdea7ac109..6cd833a0ee 100644 --- a/scanners/cmseek/parser/Dockerfile +++ b/scanners/cmseek/parser/Dockerfile @@ -6,4 +6,4 @@ ARG namespace ARG baseImageTag FROM ${namespace:-securecodebox}/parser-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/parser-wrapper/parser/ -COPY --chown=app:app ./parser.js ./parser.js \ No newline at end of file +COPY --chown=root:root --chmod=755 ./parser.js ./parser.js \ No newline at end of file diff --git a/scanners/ffuf/parser/Dockerfile b/scanners/ffuf/parser/Dockerfile index bdea7ac109..6cd833a0ee 100644 --- a/scanners/ffuf/parser/Dockerfile +++ b/scanners/ffuf/parser/Dockerfile @@ -6,4 +6,4 @@ ARG namespace ARG baseImageTag FROM ${namespace:-securecodebox}/parser-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/parser-wrapper/parser/ -COPY --chown=app:app ./parser.js ./parser.js \ No newline at end of file +COPY --chown=root:root --chmod=755 ./parser.js ./parser.js \ No newline at end of file diff --git a/scanners/git-repo-scanner/parser/Dockerfile b/scanners/git-repo-scanner/parser/Dockerfile index 86543ec4f1..af03db10cb 100644 --- a/scanners/git-repo-scanner/parser/Dockerfile +++ b/scanners/git-repo-scanner/parser/Dockerfile @@ -6,4 +6,4 @@ ARG namespace ARG baseImageTag FROM ${namespace:-securecodebox}/parser-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/parser-wrapper/parser/ -COPY --chown=app:app ./parser.js ./parser.js +COPY --chown=root:root --chmod=755 ./parser.js ./parser.js diff --git a/scanners/gitleaks/parser/Dockerfile b/scanners/gitleaks/parser/Dockerfile index 74fdd7e8e5..ee2cd5a9d3 100644 --- a/scanners/gitleaks/parser/Dockerfile +++ b/scanners/gitleaks/parser/Dockerfile @@ -15,5 +15,4 @@ ARG baseImageTag FROM ${namespace:-securecodebox}/parser-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/parser-wrapper/parser/ -# COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ -COPY --chown=app:app ./parser.js ./parser.js +COPY --chown=root:root --chmod=755 ./parser.js ./parser.js diff --git a/scanners/kube-hunter/parser/Dockerfile b/scanners/kube-hunter/parser/Dockerfile index 86543ec4f1..af03db10cb 100644 --- a/scanners/kube-hunter/parser/Dockerfile +++ b/scanners/kube-hunter/parser/Dockerfile @@ -6,4 +6,4 @@ ARG namespace ARG baseImageTag FROM ${namespace:-securecodebox}/parser-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/parser-wrapper/parser/ -COPY --chown=app:app ./parser.js ./parser.js +COPY --chown=root:root --chmod=755 ./parser.js ./parser.js diff --git a/scanners/ncrack/parser/Dockerfile b/scanners/ncrack/parser/Dockerfile index 2a9a95cd0e..6aff6d3bd7 100644 --- a/scanners/ncrack/parser/Dockerfile +++ b/scanners/ncrack/parser/Dockerfile @@ -12,5 +12,5 @@ RUN npm ci --production FROM ${namespace:-securecodebox}/parser-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/parser-wrapper/parser/ -COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ -COPY --chown=app:app ./parser.js ./parser.js +COPY --from=build --chown=root:root --chmod=755 /home/app/node_modules/ ./node_modules/ +COPY --chown=root:root --chmod=755 ./parser.js ./parser.js diff --git a/scanners/nikto/parser/Dockerfile b/scanners/nikto/parser/Dockerfile index 86543ec4f1..af03db10cb 100644 --- a/scanners/nikto/parser/Dockerfile +++ b/scanners/nikto/parser/Dockerfile @@ -6,4 +6,4 @@ ARG namespace ARG baseImageTag FROM ${namespace:-securecodebox}/parser-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/parser-wrapper/parser/ -COPY --chown=app:app ./parser.js ./parser.js +COPY --chown=root:root --chmod=755 ./parser.js ./parser.js diff --git a/scanners/nmap/parser/Dockerfile b/scanners/nmap/parser/Dockerfile index 2a9a95cd0e..6aff6d3bd7 100644 --- a/scanners/nmap/parser/Dockerfile +++ b/scanners/nmap/parser/Dockerfile @@ -12,5 +12,5 @@ RUN npm ci --production FROM ${namespace:-securecodebox}/parser-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/parser-wrapper/parser/ -COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ -COPY --chown=app:app ./parser.js ./parser.js +COPY --from=build --chown=root:root --chmod=755 /home/app/node_modules/ ./node_modules/ +COPY --chown=root:root --chmod=755 ./parser.js ./parser.js diff --git a/scanners/nuclei/parser/Dockerfile b/scanners/nuclei/parser/Dockerfile index 86543ec4f1..af03db10cb 100644 --- a/scanners/nuclei/parser/Dockerfile +++ b/scanners/nuclei/parser/Dockerfile @@ -6,4 +6,4 @@ ARG namespace ARG baseImageTag FROM ${namespace:-securecodebox}/parser-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/parser-wrapper/parser/ -COPY --chown=app:app ./parser.js ./parser.js +COPY --chown=root:root --chmod=755 ./parser.js ./parser.js diff --git a/scanners/screenshooter/parser/Dockerfile b/scanners/screenshooter/parser/Dockerfile index 86543ec4f1..af03db10cb 100644 --- a/scanners/screenshooter/parser/Dockerfile +++ b/scanners/screenshooter/parser/Dockerfile @@ -6,4 +6,4 @@ ARG namespace ARG baseImageTag FROM ${namespace:-securecodebox}/parser-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/parser-wrapper/parser/ -COPY --chown=app:app ./parser.js ./parser.js +COPY --chown=root:root --chmod=755 ./parser.js ./parser.js diff --git a/scanners/semgrep/parser/Dockerfile b/scanners/semgrep/parser/Dockerfile index bdea7ac109..6cd833a0ee 100644 --- a/scanners/semgrep/parser/Dockerfile +++ b/scanners/semgrep/parser/Dockerfile @@ -6,4 +6,4 @@ ARG namespace ARG baseImageTag FROM ${namespace:-securecodebox}/parser-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/parser-wrapper/parser/ -COPY --chown=app:app ./parser.js ./parser.js \ No newline at end of file +COPY --chown=root:root --chmod=755 ./parser.js ./parser.js \ No newline at end of file diff --git a/scanners/ssh-audit/parser/Dockerfile b/scanners/ssh-audit/parser/Dockerfile index e7742bf8ef..a0aa23a61c 100644 --- a/scanners/ssh-audit/parser/Dockerfile +++ b/scanners/ssh-audit/parser/Dockerfile @@ -8,4 +8,4 @@ ARG baseImageTag FROM securecodebox/parser-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/parser-wrapper/parser/ -COPY --chown=app:app ./parser.js ./parser.js \ No newline at end of file +COPY --chown=root:root --chmod=755 ./parser.js ./parser.js \ No newline at end of file diff --git a/scanners/sslyze/parser/Dockerfile b/scanners/sslyze/parser/Dockerfile index 2a9a95cd0e..6aff6d3bd7 100644 --- a/scanners/sslyze/parser/Dockerfile +++ b/scanners/sslyze/parser/Dockerfile @@ -12,5 +12,5 @@ RUN npm ci --production FROM ${namespace:-securecodebox}/parser-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/parser-wrapper/parser/ -COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ -COPY --chown=app:app ./parser.js ./parser.js +COPY --from=build --chown=root:root --chmod=755 /home/app/node_modules/ ./node_modules/ +COPY --chown=root:root --chmod=755 ./parser.js ./parser.js diff --git a/scanners/test-scan/parser/Dockerfile b/scanners/test-scan/parser/Dockerfile index 86543ec4f1..af03db10cb 100644 --- a/scanners/test-scan/parser/Dockerfile +++ b/scanners/test-scan/parser/Dockerfile @@ -6,4 +6,4 @@ ARG namespace ARG baseImageTag FROM ${namespace:-securecodebox}/parser-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/parser-wrapper/parser/ -COPY --chown=app:app ./parser.js ./parser.js +COPY --chown=root:root --chmod=755 ./parser.js ./parser.js diff --git a/scanners/trivy-sbom/parser/Dockerfile b/scanners/trivy-sbom/parser/Dockerfile index 86543ec4f1..af03db10cb 100644 --- a/scanners/trivy-sbom/parser/Dockerfile +++ b/scanners/trivy-sbom/parser/Dockerfile @@ -6,4 +6,4 @@ ARG namespace ARG baseImageTag FROM ${namespace:-securecodebox}/parser-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/parser-wrapper/parser/ -COPY --chown=app:app ./parser.js ./parser.js +COPY --chown=root:root --chmod=755 ./parser.js ./parser.js diff --git a/scanners/trivy/parser/Dockerfile b/scanners/trivy/parser/Dockerfile index 86543ec4f1..af03db10cb 100644 --- a/scanners/trivy/parser/Dockerfile +++ b/scanners/trivy/parser/Dockerfile @@ -6,4 +6,4 @@ ARG namespace ARG baseImageTag FROM ${namespace:-securecodebox}/parser-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/parser-wrapper/parser/ -COPY --chown=app:app ./parser.js ./parser.js +COPY --chown=root:root --chmod=755 ./parser.js ./parser.js diff --git a/scanners/whatweb/parser/Dockerfile b/scanners/whatweb/parser/Dockerfile index 86543ec4f1..af03db10cb 100644 --- a/scanners/whatweb/parser/Dockerfile +++ b/scanners/whatweb/parser/Dockerfile @@ -6,4 +6,4 @@ ARG namespace ARG baseImageTag FROM ${namespace:-securecodebox}/parser-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/parser-wrapper/parser/ -COPY --chown=app:app ./parser.js ./parser.js +COPY --chown=root:root --chmod=755 ./parser.js ./parser.js diff --git a/scanners/wpscan/parser/Dockerfile b/scanners/wpscan/parser/Dockerfile index 86543ec4f1..af03db10cb 100644 --- a/scanners/wpscan/parser/Dockerfile +++ b/scanners/wpscan/parser/Dockerfile @@ -6,4 +6,4 @@ ARG namespace ARG baseImageTag FROM ${namespace:-securecodebox}/parser-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/parser-wrapper/parser/ -COPY --chown=app:app ./parser.js ./parser.js +COPY --chown=root:root --chmod=755 ./parser.js ./parser.js diff --git a/scanners/zap-automation-framework/parser/Dockerfile b/scanners/zap-automation-framework/parser/Dockerfile index 2a9a95cd0e..6aff6d3bd7 100644 --- a/scanners/zap-automation-framework/parser/Dockerfile +++ b/scanners/zap-automation-framework/parser/Dockerfile @@ -12,5 +12,5 @@ RUN npm ci --production FROM ${namespace:-securecodebox}/parser-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/parser-wrapper/parser/ -COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ -COPY --chown=app:app ./parser.js ./parser.js +COPY --from=build --chown=root:root --chmod=755 /home/app/node_modules/ ./node_modules/ +COPY --chown=root:root --chmod=755 ./parser.js ./parser.js diff --git a/scanners/zap/parser/Dockerfile b/scanners/zap/parser/Dockerfile index 2a9a95cd0e..6aff6d3bd7 100644 --- a/scanners/zap/parser/Dockerfile +++ b/scanners/zap/parser/Dockerfile @@ -12,5 +12,5 @@ RUN npm ci --production FROM ${namespace:-securecodebox}/parser-sdk-nodejs:${baseImageTag:-latest} WORKDIR /home/app/parser-wrapper/parser/ -COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ -COPY --chown=app:app ./parser.js ./parser.js +COPY --from=build --chown=root:root --chmod=755 /home/app/node_modules/ ./node_modules/ +COPY --chown=root:root --chmod=755 ./parser.js ./parser.js