microsoft · tamirkamara · Oct 23, 2025 · Oct 22, 2025 · Oct 22, 2025 · Oct 22, 2025
diff --git a/...ples/deployments/openai-anonymaztion-and-deanonymaztion-best-practices/src/api/Dockerfile b/...ples/deployments/openai-anonymaztion-and-deanonymaztion-best-practices/src/api/Dockerfile
@@ -12,4 +12,9 @@ RUN python -m spacy download nl_core_news_sm
 
 COPY . .
 
+# Create a non-root user and set ownership
+RUN useradd -m -u 1001 presidio && chown -R presidio:presidio /app
+
+USER 1001
+
 CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "80"]
diff --git a/...ployments/openai-anonymaztion-and-deanonymaztion-best-practices/src/client_app/Dockerfile b/...ployments/openai-anonymaztion-and-deanonymaztion-best-practices/src/client_app/Dockerfile
@@ -8,4 +8,9 @@ RUN pip install --no-cache-dir -r requirements.txt
 
 COPY . .
 
+# Create a non-root user and set ownership
+RUN useradd -m -u 1001 presidio && chown -R presidio:presidio /app
+
+USER 1001
+
 CMD ["python", "serve.py"]
diff --git a/presidio-analyzer/Dockerfile b/presidio-analyzer/Dockerfile
@@ -4,6 +4,7 @@ ARG NLP_CONF_FILE=presidio_analyzer/conf/default.yaml
 ARG ANALYZER_CONF_FILE=presidio_analyzer/conf/default_analyzer.yaml
 ARG RECOGNIZER_REGISTRY_CONF_FILE=presidio_analyzer/conf/default_recognizers.yaml
 ENV PIP_NO_CACHE_DIR=1
+ENV POETRY_VIRTUALENVS_CREATE=false
 
 ENV ANALYZER_CONF_FILE=${ANALYZER_CONF_FILE}
 ENV RECOGNIZER_REGISTRY_CONF_FILE=${RECOGNIZER_REGISTRY_CONF_FILE}
@@ -32,6 +33,12 @@ COPY ./install_nlp_models.py /app/
 RUN poetry run python install_nlp_models.py --conf_file ${NLP_CONF_FILE}
 
 COPY . /app/
+
+# Create a non-root user and set ownership
+RUN useradd -m -u 1001 presidio && chown -R presidio:presidio /app
+
+USER 1001
+
 EXPOSE ${PORT}
 HEALTHCHECK --interval=30s --timeout=3s --start-period=30s --retries=3 \
     CMD curl -f http://localhost:${PORT}/health || exit 1

diff --git a/presidio-analyzer/Dockerfile.dev b/presidio-analyzer/Dockerfile.dev
@@ -18,3 +18,8 @@ RUN apt-get update \
   && apt-get install -y build-essential
 
 RUN pip install poetry
+
+# Create a non-root user for development
+RUN useradd -m -u 1001 presidio
+
+USER 1001
diff --git a/presidio-analyzer/Dockerfile.stanza b/presidio-analyzer/Dockerfile.stanza
@@ -4,6 +4,7 @@ ARG NLP_CONF_FILE=presidio_analyzer/conf/default.yaml
 ARG ANALYZER_CONF_FILE=presidio_analyzer/conf/default_analyzer.yaml
 ARG RECOGNIZER_REGISTRY_CONF_FILE=presidio_analyzer/conf/default_recognizers.yaml
 ENV PIP_NO_CACHE_DIR=1
+ENV POETRY_VIRTUALENVS_CREATE=false
 
 ENV ANALYZER_CONF_FILE=${ANALYZER_CONF_FILE}
 ENV RECOGNIZER_REGISTRY_CONF_FILE=${RECOGNIZER_REGISTRY_CONF_FILE}
@@ -31,6 +32,12 @@ COPY ./install_nlp_models.py /app/
 RUN poetry run python install_nlp_models.py --conf_file ${NLP_CONF_FILE}
 
 COPY . /app/
+
+# Create a non-root user and set ownership
+RUN useradd -m -u 1001 presidio && chown -R presidio:presidio /app
+
+USER 1001
+
 EXPOSE ${PORT}
 HEALTHCHECK --interval=30s --timeout=3s --start-period=30s --retries=3 \
     CMD curl -f http://localhost:${PORT}/health || exit 1

diff --git a/presidio-analyzer/Dockerfile.transformers b/presidio-analyzer/Dockerfile.transformers
@@ -4,6 +4,7 @@ ARG NLP_CONF_FILE=presidio_analyzer/conf/transformers.yaml
 ARG ANALYZER_CONF_FILE=presidio_analyzer/conf/default_analyzer.yaml
 ARG RECOGNIZER_REGISTRY_CONF_FILE=presidio_analyzer/conf/default_recognizers.yaml
 ENV PIP_NO_CACHE_DIR=1
+ENV POETRY_VIRTUALENVS_CREATE=false
 WORKDIR /app
 
 ENV ANALYZER_CONF_FILE=${ANALYZER_CONF_FILE}
@@ -28,6 +29,12 @@ COPY ./install_nlp_models.py /app/
 RUN poetry run python install_nlp_models.py --conf_file ${NLP_CONF_FILE}
 
 COPY . /app/
+
+# Create a non-root user and set ownership
+RUN useradd -m -u 1001 presidio && chown -R presidio:presidio /app
+
+USER 1001
+
 EXPOSE ${PORT}
 HEALTHCHECK --interval=30s --timeout=3s --start-period=30s --retries=3 \
     CMD curl -f http://localhost:${PORT}/health || exit 1

diff --git a/presidio-analyzer/Dockerfile.windows b/presidio-analyzer/Dockerfile.windows
@@ -32,6 +32,11 @@ COPY ${NLP_CONF_FILE} ${NLP_CONF_FILE}
 RUN poetry run python install_nlp_models.py --conf_file $Env:NLP_CONF_FILE
 
 COPY . .
+
+# Create a non-root user for Windows container
+RUN net user presidio /add
+USER presidio
+
 EXPOSE ${PORT}
 
 HEALTHCHECK --interval=30s --timeout=3s --start-period=30s --retries=3 \

diff --git a/presidio-anonymizer/Dockerfile b/presidio-anonymizer/Dockerfile
@@ -1,6 +1,7 @@
 FROM python:3.13-slim
 
 ENV PIP_NO_CACHE_DIR=1
+ENV POETRY_VIRTUALENVS_CREATE=false
 
 ENV PORT=3000
 ENV WORKERS=1
@@ -15,6 +16,11 @@ RUN pip install poetry && poetry install --no-root --only=main -E server
 
 COPY . /app/
 
+# Create a non-root user and set ownership
+RUN useradd -m -u 1001 presidio && chown -R presidio:presidio /app
+
+USER 1001
+
 EXPOSE ${PORT}
 HEALTHCHECK --interval=30s --timeout=3s --start-period=30s --retries=3 \
     CMD curl -f http://localhost:${PORT}/health || exit 1

diff --git a/presidio-anonymizer/Dockerfile.dev b/presidio-anonymizer/Dockerfile.dev
@@ -5,3 +5,8 @@ RUN apt-get update \
   && apt-get install -y build-essential
 
 RUN pip install poetry
+
+# Create a non-root user for development
+RUN useradd -m -u 1001 presidio
+
+USER 1001
diff --git a/presidio-anonymizer/Dockerfile.windows b/presidio-anonymizer/Dockerfile.windows
@@ -10,6 +10,10 @@ RUN python.exe -m pip install --upgrade pip; pip install poetry; poetry install
 
 COPY . /app/
 
+# Create a non-root user for Windows container
+RUN net user presidio /add
+USER presidio
+
 EXPOSE ${PORT}
 HEALTHCHECK --interval=30s --timeout=3s --start-period=30s --retries=3 \
     CMD powershell -Command "try { Invoke-WebRequest -Uri http://localhost:$env:PORT/health -UseBasicParsing | Out-Null; exit 0 } catch { exit 1 }"

diff --git a/presidio-image-redactor/Dockerfile b/presidio-image-redactor/Dockerfile
@@ -4,6 +4,7 @@ ARG NLP_CONF_FILE
 ARG ANALYZER_CONF_FILE
 ARG RECOGNIZER_REGISTRY_CONF_FILE
 ENV PIP_NO_CACHE_DIR=1
+ENV POETRY_VIRTUALENVS_CREATE=false
 
 ENV ANALYZER_CONF_FILE=${ANALYZER_CONF_FILE}
 ENV RECOGNIZER_REGISTRY_CONF_FILE=${RECOGNIZER_REGISTRY_CONF_FILE}
@@ -26,7 +27,16 @@ RUN apt-get update \
 COPY ./pyproject.toml /app/
 RUN pip install poetry && poetry install --no-root --only=main -E server
 
+# Install spaCy model during build (as root) so it's available to non-root user at runtime
+RUN python -m spacy download en_core_web_lg
+
 COPY . /app/
+
+# Create a non-root user and set ownership
+RUN useradd -m -u 1001 presidio && chown -R presidio:presidio /app
+
+USER 1001
+
 EXPOSE ${PORT}
 HEALTHCHECK --interval=30s --timeout=3s --start-period=30s --retries=3 \
     CMD curl -f http://localhost:${PORT}/health || exit 1

diff --git a/presidio-image-redactor/Dockerfile.dev b/presidio-image-redactor/Dockerfile.dev
@@ -14,3 +14,8 @@ RUN apt-get update  \
 && apt-get install ffmpeg libsm6 libxext6  -y
 
 RUN pip install poetry
+
+# Create a non-root user for development
+RUN useradd -m -u 1001 presidio
+
+USER 1001