chore: ensure docker file runs as non root user (#32976)

GavinZZ · web-flow · commit ddaad470c5da · 2025-01-17T01:17:23.000Z
### Reason for this change Fix Code Scanner issue ``` By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'. ``` ### Description of changes Create a new group and attach the user to the group. The dockerfile already gives necessary permissions with statements like `chmod 777` ### Description of how you validated changes N/A ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-lambda-go-alpha/lib/Dockerfile b/packages/@aws-cdk/aws-lambda-go-alpha/lib/Dockerfile
@@ -12,4 +12,7 @@ ENV GOPROXY=direct
 RUN mkdir $GOPATH && \
   chmod -R 777 $GOPATH
 
+# Switch to a non-root user
+USER nobody
+
 CMD [ "go" ]
diff --git a/packages/@aws-cdk/aws-lambda-python-alpha/lib/Dockerfile b/packages/@aws-cdk/aws-lambda-python-alpha/lib/Dockerfile
@@ -36,4 +36,7 @@ RUN \
 # Ensure no temporary files remain in the caches
     rm -rf /tmp/pip-cache/* /tmp/poetry-cache/*
 
+# Switch to a non-root user
+USER nobody    
+
 CMD [ "python" ]
diff --git a/packages/aws-cdk-lib/aws-lambda-nodejs/lib/Dockerfile b/packages/aws-cdk-lib/aws-lambda-nodejs/lib/Dockerfile
@@ -47,4 +47,6 @@ RUN mkdir /tmp/bun-cache && \
     chmod -R 777 /tmp/bun-cache && \
     echo -e "[install.cache]\ndir = \"/tmp/bun-cache\"\ndisable = true" >> /home/user/.bunfig.toml
 
+USER nobody
+
 CMD [ "esbuild" ]
