Security: harden Docker runtime file ownership to resolve docker:S6504 hotspots

apps/app-frontend/Dockerfile

@@ -39,9 +39,13 @@ RUN addgroup -S appgroup && adduser -S appuser -G appgroup
 # In Docker the workspace root has no apps/package.json so Next.js sets
 # outputFileTracingRoot to the app directory — standalone output lands
 # directly at .next/standalone/server.js (no subdirectory nesting).
-COPY --from=builder --chown=appuser:appgroup /repo/apps/app-frontend/.next/standalone ./
-COPY --from=builder --chown=appuser:appgroup /repo/apps/app-frontend/.next/static ./.next/static
-COPY --from=builder --chown=appuser:appgroup /repo/apps/app-frontend/public ./public
+# Files are owned by root so the runtime user cannot tamper with deployed artefacts.
+COPY --from=builder --chown=root:root /repo/apps/app-frontend/.next/standalone ./
+COPY --from=builder --chown=root:root /repo/apps/app-frontend/.next/static ./.next/static
+COPY --from=builder --chown=root:root /repo/apps/app-frontend/public ./public
+# Remove write permission for all users on application files (immutable container).
+# Next.js standalone only needs /tmp for any ephemeral writes, which is world-writable.
+RUN chmod -R a-w /app
 
 USER appuser
 EXPOSE 3000

apps/marketing-site/Dockerfile

@@ -28,8 +28,12 @@ RUN apk upgrade --no-cache && \
            /usr/local/bin/corepack
 
 RUN addgroup -S appgroup && adduser -S appuser -G appgroup
-COPY --from=builder --chown=appuser:appgroup /app/dist ./dist
-COPY --from=builder --chown=appuser:appgroup /app/node_modules ./node_modules
+# Files are owned by root so the runtime user cannot tamper with deployed artefacts.
+COPY --from=builder --chown=root:root /app/dist ./dist
+COPY --from=builder --chown=root:root /app/node_modules ./node_modules
+# Remove write permission for all users on application files (immutable container).
+# The Astro @astrojs/node adapter only needs /tmp for any ephemeral writes.
+RUN chmod -R a-w /app
 
 ENV NODE_ENV=production
 ENV HOST=0.0.0.0

services/core-api/src/Curvit.Api/Dockerfile

@@ -19,8 +19,13 @@ FROM mcr.microsoft.com/dotnet/aspnet:10.0-alpine@sha256:60eb031b554df75a4b9f3582
 WORKDIR /app
 RUN apk update && apk upgrade --no-cache && apk add --no-cache krb5-libs && \
     addgroup -S appgroup && adduser -S appuser -G appgroup
+# Files are owned by root so the runtime user cannot tamper with deployed artefacts.
+COPY --from=build --chown=root:root /app/publish .
+# Remove write permission for all users on application files (immutable container).
+# ASP.NET Core uses /tmp for ephemeral writes (e.g. form-file buffers); no
+# writable path is needed inside /app.
+RUN chmod -R a-w /app
 USER appuser
-COPY --from=build --chown=appuser:appgroup /app/publish .
 EXPOSE 5000
 ENV ASPNETCORE_URLS=http://+:5000
 ENTRYPOINT ["dotnet", "Curvit.Api.dll"]