From 490ba2f51289bb80b3035aacd0d78d4d280f340e Mon Sep 17 00:00:00 2001
From: Adam Mathes <adam@adammathes.com>
Date: Sat, 14 Feb 2026 09:18:29 -0800
Subject: security: run docker container as non-root user (fixing NK-o3n9jf)

---
 Dockerfile | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

(limited to 'Dockerfile')

diff --git a/Dockerfile b/Dockerfile
index ef1f492..a69379c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -24,12 +24,16 @@ RUN go build -o neko .
 
 # Stage 3: Final Image
 FROM debian:bullseye-slim
+
+# Create a non-root user
+RUN groupadd -r neko && useradd -r -g neko neko
+
 WORKDIR /app
 COPY --from=backend-builder /app/neko .
 COPY --from=backend-builder /app/static ./static
 
-# Ensure data directory exists
-RUN mkdir -p /app/data
+# Ensure data directory exists and set permissions
+RUN mkdir -p /app/data && chown -R neko:neko /app/data
 
 # Default environment variables
 ENV NEKO_PORT=8080
@@ -37,4 +41,7 @@ ENV NEKO_DB=/app/data/neko.db
 
 EXPOSE 8080
 
+# Switch to non-root user
+USER neko
+
 CMD ["./neko", "-s", "8080", "-d", "/app/data/neko.db"]
-- 
cgit v1.2.3