docker: default published images to seaweed user (#8819)

* ci: add Trivy CVE scan to container release workflow * docker: default published images to seaweed user * Revert "ci: add Trivy CVE scan to container release workflow" This reverts commit bc9b7e1cf7a0694e355c5d23b5e323a07e8ba670.
2026-03-28 21:03:24 -07:00
parent 0884acd70c
commit 056cf6fa5b
2 changed files with 10 additions and 2 deletions
--- a/docker/Dockerfile.go_build
+++ b/docker/Dockerfile.go_build
@@ -79,5 +79,9 @@ RUN mkdir -p /data/filerldb2 && \
 VOLUME /data
 WORKDIR /data

-# Entrypoint will handle permission fixes and user switching
+# Run as non-root by default (satisfies security scanners).
+# Use `docker run --user root` if you need the entrypoint to fix
+# /data volume ownership before dropping privileges.
+USER seaweed
+
 ENTRYPOINT ["/entrypoint.sh"]
--- a/docker/Dockerfile.local
+++ b/docker/Dockerfile.local
@@ -37,5 +37,9 @@ RUN mkdir -p /data/filerldb2 && \
 VOLUME /data
 WORKDIR /data

-# Entrypoint will handle permission fixes and user switching
+# Run as non-root by default (satisfies security scanners).
+# Use `docker run --user root` if you need the entrypoint to fix
+# /data volume ownership before dropping privileges.
+USER seaweed
+
 ENTRYPOINT ["/entrypoint.sh"]