From e3e1358b1f5f23b60a3a27c5201a10c77460a3e8 Mon Sep 17 00:00:00 2001
From: Cal Corum <calcorum@users.noreply.github.com>
Date: Thu, 9 Apr 2026 12:02:09 -0500
Subject: [PATCH] security: add non-root user to Dockerfile (#120)

Closes #120

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 Dockerfile | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 1e0ccb5..0433889 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -22,8 +22,11 @@ RUN pip install --no-cache-dir --upgrade pip && \
 # Copy application code
 COPY ./app /usr/src/app/app
 
-# Create directories for volumes
-RUN mkdir -p /usr/src/app/storage
+# Create non-root user and set up directories for volumes
+RUN addgroup --system appuser && adduser --system --ingroup appuser appuser
+RUN mkdir -p /usr/src/app/storage /usr/src/app/logs && \
+    chown -R appuser:appuser /usr/src/app
+USER appuser
 
 # Health check
 HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \