Harden Dockerfile: HTTPS downloads, non-root user, git clone retained#307
Merged
Harden Dockerfile: HTTPS downloads, non-root user, git clone retained#307
Conversation
…gnore Co-authored-by: ekosman <10260165+ekosman@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Review Dockerfile for security and functionality
Harden Dockerfile: HTTPS downloads, non-root user, COPY over git clone
Feb 21, 2026
ekosman
reviewed
Feb 21, 2026
Co-authored-by: ekosman <10260165+ekosman@users.noreply.github.com>
Copilot
AI
changed the title
Harden Dockerfile: HTTPS downloads, non-root user, COPY over git clone
Harden Dockerfile: HTTPS downloads, non-root user, git clone retained
Feb 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The Dockerfile had several security and correctness issues: downloading artifacts over plain HTTP, running as root, and pulling
requirements.txtfrom Google Drive unnecessarily.Security
c3d.picklewget downloadanomalyuser) added; container no longer runs as root/usr/bin/apt-getonly — notNOPASSWD:ALLFunctional
git cloneretained — the image remains portable and can be built from any machine without a local copy of the repositoryrequirements.txtis included in the cloned repository; no need to fetch from Google Driveconda installinsetup_anomaly.shtargets-n anomalyexplicitly and no longer runs undersudo;anomalyuserowns/opt/conda/envs/anomalysetup_anomaly.shapt-getcalls prefixed withsudoto work correctly under the new non-root user✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.