docs: add section about container security

PR-URL: https://github.com/hasura/graphql-engine-mono/pull/9995 Co-authored-by: Rob Dominguez <24390149+robertjdominguez@users.noreply.github.com> GitOrigin-RevId: a18ac49144c1207bf86f9b37e1cabee8186e8e39
2024-12-14 08:02:15 +03:00 · 2023-07-28 21:18:44 +05:30 · 2023-07-28 21:18:44 +05:30 · d303ebc266
commit d303ebc266
parent bbdb7aae08
1 changed files with 40 additions and 0 deletions
--- a/docs/docs/security/container-security.mdx
+++ b/docs/docs/security/container-security.mdx
@ -0,0 +1,40 @@
+---
+description: Container security of Hasura GraphQL Engine images
+sidebar_label: Container Security
+keywords:
+  - hasura
+  - docs
+  - deployment
+  - container
+sidebar_position: 4
+---
+
+# Container Security
+
+## Non-root user and group
+
+By default, all `hasura/graphql-engine` images come with a non-root user and group named `hasura`. Both the user ID
+(UID) and group ID (GID) for this non-root user are `1001`.
+
+We strongly recommend using this non-root user and group to run the `graphql-engine` container. This practice enhances 
+system security and mitigates potential risks in the event of a future container escape vulnerability.
+
+If you're using docker-compose, this can be done by implementing the `user` field like this:
+
+```yaml
+version: '3.6'
+services:
+  graphql-engine:
+    image: hasura/graphql-engine:v2.30.0
+    user: 1001:1001
+    ports:
+      - '8080:8080'
+```
+
+:::info Existing UID and GID
+
+Since the non-root UID and GID is `1001`, you will need to make sure that the host machine in which the container is
+running does not have an existing UID and GID that are `1001`. This will ensure that even if a container escape happens, the
+attacker would not be able to do anything useful in the system.
+
+:::