From 8b38c43b8ac4bafa944ac940996cfa071ff98f8a Mon Sep 17 00:00:00 2001
From: Pierre-Olivier Mercier <nemunaire@nemunai.re>
Date: Sun, 26 Apr 2026 01:10:32 +0700
Subject: [PATCH] Run container as non-root user

Add USER 65534:65534 to the scratch runtime image so the checker
process does not run as root.
---
 Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Dockerfile b/Dockerfile
index 64d656c..d7967c0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -11,5 +11,6 @@ RUN CGO_ENABLED=0 go build -tags standalone -ldflags "-X main.Version=${CHECKER_
 FROM scratch
 COPY --from=builder /checker-autoconfig /checker-autoconfig
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+USER 65534:65534
 EXPOSE 8080
 ENTRYPOINT ["/checker-autoconfig"]