From 48c639e6517231276ad432c732f70b5e9a257b01 Mon Sep 17 00:00:00 2001
From: jenkins <jenkins@bstein.dev>
Date: Wed, 22 Apr 2026 00:00:09 -0300
Subject: [PATCH] security(atlasbot): run images as non-root

---
 Dockerfile      | 4 ++++
 Dockerfile.base | 7 ++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 51c373d..cd00ebb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -11,6 +11,9 @@ COPY pyproject.toml /app/pyproject.toml
 RUN pip install --no-cache-dir --retries 10 -r /app/requirements.txt
 
 COPY atlasbot /app/atlasbot
+RUN addgroup --system atlasbot && \
+    adduser --system --ingroup atlasbot --home /app atlasbot && \
+    chown -R atlasbot:atlasbot /app
 
 FROM base AS test
 COPY requirements-dev.txt /app/requirements-dev.txt
@@ -21,4 +24,5 @@ COPY scripts /app/scripts
 
 FROM base AS runtime
 EXPOSE 8090
+USER atlasbot
 CMD ["python", "-m", "atlasbot.main"]
diff --git a/Dockerfile.base b/Dockerfile.base
index d594a91..1f96315 100644
--- a/Dockerfile.base
+++ b/Dockerfile.base
@@ -6,4 +6,9 @@ ENV PYTHONDONTWRITEBYTECODE=1 \
 WORKDIR /app
 COPY requirements.txt /app/requirements.txt
 COPY requirements-dev.txt /app/requirements-dev.txt
-RUN pip install --no-cache-dir -r /app/requirements.txt -r /app/requirements-dev.txt
+RUN pip install --no-cache-dir -r /app/requirements.txt -r /app/requirements-dev.txt && \
+    addgroup --system atlasbot && \
+    adduser --system --ingroup atlasbot --home /app atlasbot && \
+    chown -R atlasbot:atlasbot /app
+
+USER atlasbot