github-starred/flowsint
2
0
Fork 0
mirror of https://github.com/reconurge/flowsint.git synced 2026-05-07 04:09:49 -05:00
Code Issues 264 Packages Projects Releases 11 Wiki Activity

[GH-ISSUE #96] Security scan and set a non-root user in docker files #620

New Issue
Open
opened 2026-04-21 22:41:30 -05:00 by GiteaMirror · 1 comment
GiteaMirror commented 2026-04-21 22:41:30 -05:00
Owner
Copy Link

Originally created by @JL-Tests on GitHub (Dec 11, 2025).
Original GitHub issue: https://github.com/reconurge/flowsint/issues/96

Hi,

I know usage is mainly local, but for prevent lateral attacks or container escape, could you add at least an USER instruction in Docker files please ?
For example:

USER root
RUN apt-get update && apt-get install -y your-package
# ...
RUN groupadd -g 1234 customgroup && useradd -m -u 1234 -g customgroup customuser
USER customuser
WORKDIR /home/customuser
# ...

Hopefully this will help you.
Greetings, JL.

FYI security scans with semgrep (image capture and csv attached for code and supply chain findings)
Image

Code findings
Image

Supply chain findings (generally CVE)
Image

Full CSV exports

Flowsint_Code_Findings_2025_12_11.csv
Flowsint_Supply_Chain_Findings_2025_12_11.csv

Originally created by @JL-Tests on GitHub (Dec 11, 2025). Original GitHub issue: https://github.com/reconurge/flowsint/issues/96 Hi, I know usage is mainly local, but for prevent lateral attacks or container escape, could you add at least an USER instruction in Docker files please ? For example: ``` USER root RUN apt-get update && apt-get install -y your-package # ... RUN groupadd -g 1234 customgroup && useradd -m -u 1234 -g customgroup customuser USER customuser WORKDIR /home/customuser # ... ``` Hopefully this will help you. Greetings, JL. ---- FYI security scans with [semgrep](https://github.com/semgrep/semgrep) (image capture and csv attached for code and supply chain findings) <img width="910" height="84" alt="Image" src="https://github.com/user-attachments/assets/06c92bd5-ba7b-40ce-9c69-5740270ef180" /> **Code findings** <img width="956" height="775" alt="Image" src="https://github.com/user-attachments/assets/56a87d46-4f94-4a32-9708-7bd6d8584f3f" /> **Supply chain findings (generally CVE)** <img width="903" height="806" alt="Image" src="https://github.com/user-attachments/assets/85145b76-a62e-484f-956e-f5d885b76595" /> **Full CSV exports** [Flowsint_Code_Findings_2025_12_11.csv](https://github.com/user-attachments/files/24108423/Flowsint_Code_Findings_2025_12_11.csv) [Flowsint_Supply_Chain_Findings_2025_12_11.csv](https://github.com/user-attachments/files/24108427/Flowsint_Supply_Chain_Findings_2025_12_11.csv)
GiteaMirror commented 2026-04-21 22:41:31 -05:00
Author
Owner
Copy Link

@dextmorgn commented on GitHub (Dec 12, 2025):

Hey @JL-Tests, thanks for this content, and thank you for identifying those vulnerabilities.

Regarding the use of the root user in the Celery container: you're right, this isn’t ideal.
For now, the container needs elevated permissions to access the Docker socket in order to create new containers on the fly.
We plan to improve this by switching to a dedicated non-root user with the appropriate group permissions mapped to the Docker socket.

About the vulnerability report: I can spot some issues that should be fixed in recent commits; for example, the query injection in /api/routes/sketches.py. This part now relies on our dedicated GraphRepository. I'll take a look at the other warnings.

@sealldeveloper also did an amazing job finding those vulns and provided great reports and PoC.

Thanks again !

<!-- gh-comment-id:3645759049 --> @dextmorgn commented on GitHub (Dec 12, 2025): Hey @JL-Tests, thanks for this content, and thank you for identifying those vulnerabilities. Regarding the use of the root user in the Celery container: you're right, this isn’t ideal. For now, the container needs elevated permissions to access the Docker socket in order to create new containers on the fly. We plan to improve this by switching to a dedicated non-root user with the appropriate group permissions mapped to the Docker socket. About the vulnerability report: I can spot some issues that should be fixed in recent commits; for example, the query injection in `/api/routes/sketches.py`. This part now relies on our dedicated `GraphRepository`. I'll take a look at the other warnings. @sealldeveloper also did an amazing job finding those vulns and provided great reports and PoC. Thanks again !
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
documentation
enhancement
pull-request
Mirrored from GitHub Pull Request
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/flowsint#620
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?