From e6ebb4e1511229c83a56c0751affb04ff1c9cf91 Mon Sep 17 00:00:00 2001
From: Simone Locci <simonelocci88@gmail.com>
Date: Wed, 27 Aug 2025 18:51:24 +0200
Subject: [PATCH] Improve docker security

---
 Dockerfile | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 5c1f091..6ba6581 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,8 @@
 FROM python:3.13-slim AS builder
 LABEL maintainer="Simone Locci <simonelocci88@gmail.com>"
 
+RUN addgroup --system appgroup && adduser --system --ingroup appgroup appuser
+
 WORKDIR /build
 RUN pip install --no-cache-dir poetry
 COPY pyproject.toml poetry.lock ./
@@ -16,9 +18,12 @@ ENV PYTHONDONTWRITEBYTECODE=1 \
 WORKDIR /app
 COPY --from=builder /usr/local/lib/python3.13/site-packages /usr/local/lib/python3.13/site-packages
 COPY --from=builder /usr/local/bin /usr/local/bin
+COPY --from=builder /etc/passwd /etc/passwd
+COPY --from=builder /etc/group /etc/group
 COPY app ./app
 COPY log_config.yml .
 
 EXPOSE 8000
 
+USER appuser
 CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000", "--log-config", "log_config.yml"]