Test/remove uidgid

Dockerfile

@@ -1,11 +1,20 @@
 #checkov:skip=CKV_DOCKER_7: Base image is using a non-latest version tag by default, Checkov is unable to parse due to the use of ARG
-#checkov:skip=CKV_DOCKER_3: ASH is focused on mounting source code into the container and scanning it, not running services. Setting USER breaks the ability for certain scanners to work correctly.
 #
 # Enable BASE_IMAGE as an overrideable ARG for proxy cache + private registry support
 #
 ARG BASE_IMAGE=public.ecr.aws/docker/library/python:3.10-bullseye
 FROM ${BASE_IMAGE}
 
+#
+# Collect the host UID/GID which built the image in order to set the UID/GID of the non-root user
+# to match the UID/GID of the builder of the container.
+#
+# Set the default values to non-zero to avoid someone inadvertantly creating a container that runs as root
+# if/when they did not specify these as --build-arg arguments on the ${OCI_RUNNER} build command.
+#
+ARG UID=500
+ARG GID=100
+
 #
 # Setting timezone in the container to UTC to ensure logged times are universal.
 #
@@ -134,6 +143,34 @@ COPY ./appsec_cfn_rules /ash/appsec_cfn_rules/
 COPY ./ash-multi /ash/ash
 COPY ./__version__ /ash/__version__
 
+RUN chmod -R +r /ash && chmod +x /ash/ash
+
+#
+# Create a non-root user in the container and run as this user
+#
+# And add GitHub's public fingerprints to known_hosts inside the image to prevent fingerprint
+# confirmation requests unexpectedly
+#
+ARG ASHUSER_HOME=/home/ash-user
+RUN addgroup --gid ${GID} ash-group || \
+    adduser --disabled-password --disabled-login \
+        --uid ${UID} --gid ${GID} \
+        ash-user && \
+    mkdir -p ${ASHUSER_HOME}/.ssh && \
+    echo "github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl" >> ${ASHUSER_HOME}/.ssh/known_hosts && \
+    echo "github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=" >> ${ASHUSER_HOME}/.ssh/known_hosts && \
+    echo "github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=" >> ${ASHUSER_HOME}/.ssh/known_hosts && \
+    chown -R ${UID}:${GID} ${ASHUSER_HOME}
+# Setting default WORKDIR to ${ASHUSER_HOME}
+WORKDIR ${ASHUSER_HOME}
+
+USER ${UID}
+
+#
+# Set the HOME environment variable to be the HOME folder for the non-root user
+#
+ENV HOME=${ASHUSER_HOME}
+
 #
 # Flag ASH as local execution mode since we are running in a container already
 #

ash

@@ -77,6 +77,12 @@ if [[ "${OUTPUT_DIR_SPECIFIED}" == "YES" ]]; then
   OUTPUT_DIR="$(cd "$OUTPUT_DIR"; pwd)"
 fi
 
+#
+# Gather the UID and GID of the caller
+#
+# HOST_UID=$(id -u)
+# HOST_GID=$(id -g)
+
 # Resolve the OCI_RUNNER
 RESOLVED_OCI_RUNNER=${OCI_RUNNER:-$(command -v finch || command -v docker || command -v nerdctl || command -v podman)}
 
@@ -99,7 +105,9 @@ else
         --file "${ASH_ROOT_DIR}/Dockerfile" \
         ${DOCKER_EXTRA_ARGS} \
         "${ASH_ROOT_DIR}"
-      eval $build_cmd
+        # --build-arg UID="${HOST_UID}" \
+        # --build-arg GID="${HOST_GID}" \
+      # eval $build_cmd
     fi
 
     # Run the image if the --no-run flag is not set