Don't run Docker as root user

[Copilot]

This PR addresses a security vulnerability where the Docker container was running as the root user, which violates secure coding practices and increases the attack surface if the container is compromised.

Changes Made

• Create a non-root user in the Dockerfile
• Switch to non-root user in the runtime stage
• Maintain proper instruction sequence in Dockerfile
• Remove TestResults files from version control

The Dockerfile has been updated to follow Docker security best practices by:

1. Creating a non-root user: Added commands to create a dedicated nonroot group and user in the Alpine-based runtime stage
2. Switching to non-root user: Added USER nonroot instruction to ensure the container runs with reduced privileges
3. Maintaining proper instruction sequence: Ensured the user creation happens before copying files and switching users occurs before the entrypoint

Before and After

Before:

FROM mcr.microsoft.com/dotnet/runtime:9.0-alpine
COPY --from=build-env /app/out .
ENTRYPOINT [ "dotnet", "/SemVer.Json.dll" ]

After:

FROM mcr.microsoft.com/dotnet/runtime:9.0-alpine
RUN addgroup -S nonroot \
    && adduser -S nonroot -G nonroot
COPY --from=build-env /app/out .
USER nonroot
ENTRYPOINT [ "dotnet", "/SemVer.Json.dll" ]

Security Impact

• Reduced attack surface: If the container is compromised, the attacker will only have non-root privileges
• Principle of least privilege: The application runs with only the minimum permissions required
• Compliance: Meets SonarQube security recommendations and Docker best practices

Testing

• All existing unit tests continue to pass
• Build process remains unchanged
• Dockerfile syntax and instruction sequence verified with custom validation script

The implementation follows the compliant solution pattern for Alpine-based multi-stage builds as recommended in the security guidelines.

Fixes #233.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[github-actions]

Test Results

8 tests   8 ✅  0s ⏱️
1 suites  0 💤
1 files    0 ❌

Results for commit 21e529c.

♻️ This comment has been updated with latest results.

[baynezy]

@copilot - all files in any folder called TestResults should not be in version control.

[Copilot]

You're absolutely right. I've removed the TestResults files from version control in commit 21e529c. The .gitignore already had the correct rules to exclude TestResults directories, but the file was accidentally added in my previous commits.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud