Update Retire.js analyzer to run as non-privileged container
Our retire.js analyzer currently needs npm_config_unsafe_perm configured to allow privileged installations of npm packages. This is not a recommended best-practice and leads to an awkward configuration by providing an unsafe configuration override.
We should instead change our base image to setup a runtime user and no longer require a privileged container. root installation is unnecessary.
According to http://canihaznonprivilegedcontainers.info/, there are only a few reason a container should run as root So unless your application needs to:
- run with multiple UIDs,
- bind to a port lower than 1024, or
- modify parts of the kernel
… it should not run as root.
Original description
Follow up of gitlab-org/security-products/analyzers/retire.js!9 (comment 155729317)
The retire.js analyzer fails with a could not get uid/gid error. We implemented a workaround, as suggested in https://github.com/nodejs/docker-node/issues/813#issuecomment-407339011
We should leave this workaround in the long term, and should evaluate if it's better to slim instead.
/cc @theoretick