container from scratch (5M)

Dockerfile

@@ -1,18 +1,39 @@
 FROM golang:alpine as builder
 
-ENV GO111MODULE=on
-RUN apk add git
+RUN apk add --no-cache git
 ADD . /app
-
 WORKDIR /app
+
+# create appuser
+ENV USER=appuser
+ENV UID=10001
+
+# See https://stackoverflow.com/a/55757473/12429735RUN
+RUN adduser \
+    --disabled-password \
+    --gecos "" \
+    --home "/nonexistent" \
+    --shell "/sbin/nologin" \
+    --no-create-home \
+    --uid "${UID}" \
+    "${USER}"
+
 RUN go mod download
-RUN CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" -o binary
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" -o binary
 
-FROM alpine:latest as production
-RUN mkdir /app
-COPY --from=builder /app/binary /app
-COPY --from=builder /app/api.json /app
+FROM scratch as production
+
+# import the user and group files from the builder.
+COPY --from=builder /etc/passwd /etc/passwd
+COPY --from=builder /etc/group /etc/group
+
+# copy executable & config
+COPY --from=builder /app/binary /app/
+COPY --from=builder /app/api.json /app/
+
+# Use an unprivileged user.
+USER appuser:appuser
+WORKDIR /app/
 
-WORKDIR /app
 EXPOSE 4242/tcp
-CMD "/app/binary"
+CMD ["/app/binary"]