Run Secure analyzers as non-root users
Goal
Best practice is to not run containers as root. Especially with privileged containers and mounts on root filesystem.
This also means our secure containers are unable to run on OpenShift (see &2068) which does not allow root execution.
By reducing permissions we should likely enable sudoer access to still allow users to install dependencies; i.e. before_script: apt install gcc
Containers that run as root
-
bandit root(Deprecated in %17.0) -
brakeman root(Deprecated in %17.0) -
bundler-audit root(#281816 (closed)) -
flawfinder root(Deprecated in %17.0) -
gemnasium root(#281816 (closed)) -
gemnasium-maven root(#281816 (closed)) -
gemnasium-python root(#281816 (closed)) -
gosec root(Deprecated in %15.0) -
gcs root (#273530 (closed)) -
pmd-apex root -
retire.js root(#281816 (closed)) -
secrets root -
security-code-scan root -
sobelow root -
spotbugs root
Edited by Thiago Figueiró