security: add non-root appuser to services/ml/Dockerfile

Create system user appuser with useradd, set ownership of /app, and switch to non-root user before CMD to reduce container attack surface. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-18 11:34:26 +01:00 · 2026-02-18 11:34:26 +01:00 · 1438e474e8
commit 1438e474e8
parent 34e543ea96
2 changed files with 8 additions and 1 deletions
--- a/openspec/changes/code-review-fix/tasks.md
+++ b/openspec/changes/code-review-fix/tasks.md
@ -53,7 +53,7 @@
 ## 6. Infrastructure & Docker

 - [x] 6.1 `[sonnet]` Add `headers()` function to `next.config.js` with X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Content-Security-Policy
- [ ] 6.2 `[sonnet]` Add `USER appuser` to `services/ml/Dockerfile`: create user with `useradd`, set ownership, add USER directive before CMD
+- [x] 6.2 `[sonnet]` Add `USER appuser` to `services/ml/Dockerfile`: create user with `useradd`, set ownership, add USER directive before CMD
 - [ ] 6.3 `[haiku]` Create `.dockerignore` with `.git`, `.env`, `.env*`, `node_modules`, `.next`, `data/`, `*.md`, `__pycache__/`, `mlruns/`, `models/`
 - [ ] 6.4 `[haiku]` Change TA-Lib download URL to HTTPS in `services/ml/Dockerfile:10`
 - [ ] 6.5 `[sonnet]` Add SHA256 checksum verification for TA-Lib download in `services/ml/Dockerfile`
--- a/services/ml/Dockerfile
+++ b/services/ml/Dockerfile
@ -32,5 +32,12 @@ COPY . .
 # Expose port for FastAPI
 EXPOSE 8001

+# Create non-root user and set ownership
+RUN useradd -r -s /bin/false appuser
+RUN chown -R appuser:appuser /app
+
+# Switch to non-root user
+USER appuser
+
 # Run the inference server by default
 CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8001"]