Add SECURITY.md#697
Open
jolorunyomi wants to merge 1 commit into
Open
Conversation
msarahan
approved these changes
May 13, 2026
trxcllnt
reviewed
May 13, 2026
Comment on lines
+94
to
+96
| container. The `main` devcontainer additionally sets | ||
| `"containerUser": "root"`, so post-attach code runs as root inside | ||
| the container. |
Collaborator
There was a problem hiding this comment.
No, containerUser defines the user during the image build, not the user the container is run as. The container runs as the unprivileged coder user, including all lifecycle scripts.
trxcllnt
reviewed
May 13, 2026
Comment on lines
+128
to
+135
| 2. **`containerUser: root` in the main devcontainer.** | ||
| The base `image/.devcontainer/devcontainer.json` declares | ||
| `"containerUser": "root"`. Code running as root inside the | ||
| container can write to mounted host paths with uid 0 ownership, | ||
| which surprises subsequent host-side tooling and (depending on | ||
| Docker rootless / rootful configuration) can produce files the | ||
| host user cannot remove without `sudo`. Consumer configs that | ||
| override this should be reviewed against their feature set. |
trxcllnt
reviewed
May 13, 2026
Comment on lines
+211
to
+214
| on disk (subject to Docker's user namespace configuration). Files | ||
| written by container processes appear in `~/.aws`, `~/.config`, | ||
| and sibling source repos on the host. The container is not a | ||
| sandbox for protecting host secrets. |
Collaborator
There was a problem hiding this comment.
Whether the mounts are in the user's home directory depends on whether the repo with the devcontainer was cloned into the home directory or not. We do not explicitly write to $HOME/.aws on the host, but that will be the path if the repo with the devcontainer is a sibling of $HOME/.aws.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds a SECURITY.md file to the repository, outlining the security policies and procedures for reporting vulnerabilities. This is part of our effort to enhance the security posture of our projects and ensure that we have a clear process for handling security issues.