Skip to content

INF-1650: run agentql-mcp container as non-root user#50

Merged
andriy-sudo merged 1 commit into
mainfrom
andriy/inf-1650-dockerfile-nonroot-user
Jun 9, 2026
Merged

INF-1650: run agentql-mcp container as non-root user#50
andriy-sudo merged 1 commit into
mainfrom
andriy/inf-1650-dockerfile-nonroot-user

Conversation

@andriy-sudo

Copy link
Copy Markdown
Contributor

What

Clears the Semgrep finding dockerfile.security.missing-user.missing-user (ERROR) at Dockerfile:21 from the fresh org-wide SAST scan (INF-1650). The container had no USER instruction, so the MCP server ran as root.

How

Add USER node before CMD. The node:20-alpine base image ships a non-privileged node user (uid 1000); the build artifacts under /app are world-readable, so the runtime needs only read access — no chown required.

Verification

  • Before: semgrep --config p/dockerfile → 1 finding (missing-user)
  • After: → 0 findings
  • npm run build / npm run lint (the repo CI) are unaffected — the change only adds a runtime USER.

Closes INF-1650.

🤖 Generated with Claude Code

Add `USER node` before CMD so the MCP server no longer runs as root,
clearing the Semgrep finding dockerfile.security.missing-user. The node
base image ships a non-privileged `node` user (uid 1000); build
artifacts under /app are world-readable so no chown is needed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 9, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0418013f-184e-49ad-9253-68e4f211a3d3

📥 Commits

Reviewing files that changed from the base of the PR and between 8a634e6 and 860ebe5.

📒 Files selected for processing (1)
  • Dockerfile

📝 Walkthrough

Walkthrough

This PR modifies the Dockerfile to run the container as the non-root node user instead of the default user. The change adds a USER node directive at the end of the Dockerfile along with inline comments documenting that the base image already provides this non-privileged user and that build artifacts are world-readable, so elevated privileges are not required for runtime read operations.

🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The pull request title clearly summarizes the main change: adding a USER instruction to run the container as a non-root user, which directly corresponds to the Dockerfile modification.
Description check ✅ Passed The pull request description is well-related to the changeset, explaining the purpose (fixing Semgrep finding), the implementation (adding USER node), and verification steps.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch andriy/inf-1650-dockerfile-nonroot-user

Comment @coderabbitai help to get the list of available commands and usage tips.

@andriy-sudo andriy-sudo requested a review from paveldudka June 9, 2026 09:42
@andriy-sudo andriy-sudo merged commit 141bb0e into main Jun 9, 2026
4 checks passed
@andriy-sudo andriy-sudo deleted the andriy/inf-1650-dockerfile-nonroot-user branch June 9, 2026 17:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants