Merge pull request #242 from developmentseed/non-root-container

Add non-root user for container.

Author: vincentsarago

CHANGES.md

@@ -9,6 +9,7 @@ Note: Minor version `0.X.0` update might break the API, It's recommended to pin
 ## [unreleased]
 
 * switch to official python docker image from `bitnami`
+* changed container image to use non-root `user`
 
 ## [1.2.1] - 2025-08-26
 

dockerfiles/Dockerfile

@@ -24,11 +24,17 @@ COPY pyproject.toml pyproject.toml
 RUN python -m pip install . --no-cache-dir
 RUN rm -rf tipg/ README.md pyproject.toml LICENSE
 
+RUN groupadd -g 1000 user && \
+    useradd -u 1000 -g user -s /bin/bash -m user
+
+USER user
+
 ###################################################
 # For compatibility (might be removed at one point)
 ENV MODULE_NAME=tipg.main
 ENV VARIABLE_NAME=app
 ENV HOST=0.0.0.0
 ENV PORT=80
 ENV WEB_CONCURRENCY=1
+
 CMD gunicorn -k uvicorn.workers.UvicornWorker ${MODULE_NAME}:${VARIABLE_NAME} --bind ${HOST}:${PORT} --workers ${WEB_CONCURRENCY}