Manzanit0/how-to.md

Using: https://github.com/GoogleContainerTools/container-structure-test

Install:

$ brew install container-structure-test

Run it with the nonroot.yaml config file provided in the gist:

$ container-structure-test test --image docker.io/library/nginx --pull --config nonroot.yaml
latest: Pulling from library/nginx
Digest: sha256:c26ae7472d624ba1fafd296e73cecc4f93f853088e6a9c13c0d52f6ca5865107
Status: Image is up to date for nginx:latest

========================================
====== Test file: image-test.yaml ======
========================================
=== RUN: Command Test: apt-get
--- PASS
duration: 1.705550209s
stdout: root
Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB]
Get:2 http://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
Get:3 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Get:4 http://deb.debian.org/debian bookworm/main arm64 Packages [8685 kB]
Get:5 http://deb.debian.org/debian bookworm-updates/main arm64 Packages [12.5 kB]
Get:6 http://deb.debian.org/debian-security bookworm-security/main arm64 Packages [141 kB]
Fetched 9093 kB in 1s (8791 kB/s)
Reading package lists...

=== RUN: Metadata Test
--- FAIL
duration: 0s
Error: Image user  does not match config user: nobody
Error: Port 80 should not be exposed

=========================================
================ RESULTS ================
=========================================
Passes:      1
Failures:    1
Duration:    1.705550209s
Total tests: 2

FAIL

	schemaVersion: 2.0.0

	metadataTest:
	user: "nobody"
	unexposedPorts: ['80']
	unmountedVolumes: ['/root']

	commandTests:
	- name: 'apt-get'
	command: 'bash'
	args:
	- -c
	- \|
	whoami
	apt-get update

	containerRunOptions:
	user: 'root'
	privileged: true