Using container-structure-test to check if image runs as root

how-to.md

Using: https://github.com/GoogleContainerTools/container-structure-test

Install:

$ brew install container-structure-test

Run it with the nonroot.yaml config file provided in the gist:

$ container-structure-test test --image docker.io/library/nginx --pull --config nonroot.yaml
latest: Pulling from library/nginx
Digest: sha256:c26ae7472d624ba1fafd296e73cecc4f93f853088e6a9c13c0d52f6ca5865107
Status: Image is up to date for nginx:latest

========================================
====== Test file: image-test.yaml ======
========================================
=== RUN: Command Test: apt-get
--- PASS
duration: 1.705550209s
stdout: root
Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB]
Get:2 http://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
Get:3 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Get:4 http://deb.debian.org/debian bookworm/main arm64 Packages [8685 kB]
Get:5 http://deb.debian.org/debian bookworm-updates/main arm64 Packages [12.5 kB]
Get:6 http://deb.debian.org/debian-security bookworm-security/main arm64 Packages [141 kB]
Fetched 9093 kB in 1s (8791 kB/s)
Reading package lists...

=== RUN: Metadata Test
--- FAIL
duration: 0s
Error: Image user  does not match config user: nobody
Error: Port 80 should not be exposed

=========================================
================ RESULTS ================
=========================================
Passes:      1
Failures:    1
Duration:    1.705550209s
Total tests: 2

FAIL

nonroot.yaml

schemaVersion: 2.0.0

metadataTest:
  user: "nobody"
  unexposedPorts: ['80']
  unmountedVolumes: ['/root']

commandTests:
- name: 'apt-get'
  command: 'bash'
  args:
    - -c
    - |
      whoami
      apt-get update

containerRunOptions:
  user: 'root'
  privileged: true