From 701072eaa7ce2588290652e3e612cd6d85a806d1 Mon Sep 17 00:00:00 2001
From: Stephen Fox Jr <sfoxjr@equinix.com>
Date: Tue, 18 Jul 2023 16:13:29 -0400
Subject: [PATCH] dockerfile: Use distroless image. Run as non-root user.

---
 Dockerfile | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 890fd4b..4000b46 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,14 +12,14 @@ COPY internal ./internal
 COPY processors ./processors
 COPY main.go .
 
-RUN go build -o audito-maldito
+RUN CGO_ENABLED=0 go build -o audito-maldito
 
-# Not using distroless nor scratch because we need the systemd shared libraries
-FROM ubuntu:22.04
-# NOTE(jaosorior): Yes, we need to be the root user for this case.
-# We need access to the journal's privileged log entries and the audit log in the future.
-USER 0
+FROM gcr.io/distroless/static:nonroot
 
-COPY --from=builder /go/src/audito-maldito/audito-maldito /usr/bin/audito-maldito
+COPY --from=builder /go/src/audito-maldito/audito-maldito /
 
-ENTRYPOINT [ "/usr/bin/audito-maldito" ]
\ No newline at end of file
+# "NONROOT" comes from distroless:
+# https://github.com/GoogleContainerTools/distroless/blob/main/base/base.bzl
+USER 65532:65532
+
+ENTRYPOINT [ "/audito-maldito" ]