From 5cc265583dfc46dd16910e77f83fd26dd89e3318 Mon Sep 17 00:00:00 2001
From: Kelly Thomas Reardon <ktr3223@pm.me>
Date: Sun, 10 May 2026 22:34:59 -0500
Subject: [PATCH] updating dockerfile for best practices

---
 .gitea/workflows/docker-build.yaml | 14 ++++++++++++++
 .vscode/settings.json              |  3 +++
 Dockerfile                         |  4 +++-
 3 files changed, 20 insertions(+), 1 deletion(-)
 create mode 100644 .vscode/settings.json

diff --git a/.gitea/workflows/docker-build.yaml b/.gitea/workflows/docker-build.yaml
index 3343317..7b006de 100644
--- a/.gitea/workflows/docker-build.yaml
+++ b/.gitea/workflows/docker-build.yaml
@@ -13,6 +13,20 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      # - name: Run Trivy vulnerability scanner in repo mode
+      #   uses: aquasecurity/trivy-action@v0.36.0
+      #   with:
+      #     scan-type: 'fs'
+      #     ignore-unfixed: true
+      #     format: 'sarif'
+      #     output: 'trivy-results.sarif'
+      #     severity: 'CRITICAL'
+
+      # - name: Upload Trivy scan results to GitHub Security tab
+      #   uses: github/codeql-action/upload-sarif@v4
+      #   with:
+      #     sarif_file: 'trivy-results.sarif'
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
diff --git a/.vscode/settings.json b/.vscode/settings.json
new file mode 100644
index 0000000..e106e53
--- /dev/null
+++ b/.vscode/settings.json
@@ -0,0 +1,3 @@
+{
+    "trivy.secretScanning": true
+}
\ No newline at end of file
diff --git a/Dockerfile b/Dockerfile
index d9685ac..bed4acb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,8 @@
 FROM mcr.microsoft.com/powershell
 
+USER 1000:1000
+
 WORKDIR /data
-ADD ["Start-DoneTickNotifier.ps1", "/data/"]
+COPY ["Start-DoneTickNotifier.ps1", "/data/"]
 
 ENTRYPOINT ["pwsh", "-Command", "/data/Start-DoneTickNotifier.ps1"]
\ No newline at end of file