Stop using root in container scanning analyzer

Why are we doing this work

Follow container security best practice
Enable our analyzer to run on OpenShift

Relevant links

Tracking issue

Non-functional requirements

~~[ ] Documentation:~~
~~[ ] Feature flag:~~
~~[ ] Performance:~~
Testing:

Implementation plan

There should be no use-cases where dependencies need to be installed on the gitlab-klar/gcs container. This is different to other analyzers where, sometimes, the project needs to be built before it's analyzed. Klar/gcs downloads and scans a docker image which, by definition, is already built.

gcs

Add non root user to the container
ADDITIONAL_CA_CERT_BUNDLE content gets written to /usr/local/share/ca-certificates/custom.crt which a non-root user would not have permission to read/write. It has to be changed to a directory that the non-root user has permission to read/write. Maybe something similar to how its done in eslint analyzer?
WORKDIR points to the root directory which a non-root user would not have permission to read/write. It has to be changed to a directory that the non-root user have permission to read/write.
Test the analyzer running as non-root user in OpenShift environment

Edited Apr 13, 2021 by Sashi Kumar Kumaresan