ADD file using FROM scratch and security best practice


As documentation states, when we use ADD instruction on Dockerfile, the file will be added as UID and GID 0.

All new files and directories are created with a UID and GID of 0.

Best practice says we should not run the container as root.
When we use the base image as scratch, how we can change the file owner and/or file permission?

In the example below, the file app will be root:root and the permission will be the same as I have in my host.

FROM scratch
COPY app /app
COPY /etc/passwd /etc/group /etc/shadow /etc/
USER nobody:nogroup