From 5f7dd7462d1b8821056623558bfa066e1c4607f1 Mon Sep 17 00:00:00 2001
From: Head of Product & Engineering <cast-hpe@cast.ph>
Date: Sun, 5 Apr 2026 22:49:28 +0200
Subject: [PATCH] fix: add USER nobody to Dockerfile to pass semgrep security
 check

Running as root in a container is a security hazard. Use the existing
nobody user from alpine:3.19 to drop privileges before CMD.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Dockerfile b/Dockerfile
index 4232841..068e8aa 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -11,4 +11,5 @@ COPY --from=builder /cast-ghl-provider /cast-ghl-provider
 EXPOSE 3002
 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
   CMD wget -qO- http://localhost:3002/health || exit 1
+USER nobody
 CMD ["/cast-ghl-provider"]