The reason why the CI is failing at this point is because the semgrep scanner dockerfile is now using the root user, and "RunAsNonRoot" is set on our end.

In addition, semgrep fixed a regression that I had previously implemented a workaround for, making the workaround harmful.

I set runAsNonRoot: false and removed the workaround to fix the issues.

To whoever will review this: Is it okay to have the container run as root, or do we need to have a separate container that we build based on the official one just to change the user the code is running as? According to semgrep, the change to the root user was made because otherwise they had problems running the image as part of a CI job, so it was an intentional change that is unlikely to be reverted soon.

It's "ok'ish", it will likely cause the scan type to fail on a lot of clusters as a lot of cluster enforece running as non root.

You can potentially overwrite this semgrep change by using the runAsUser: <user_id_here> in pods security context.

I filed an issue with semgrep (where I also corrected some misconception I had about how this change was introduced, so some of the stuff I wrote above was incorrect). Let's see what the response is there before merging this.

A semgrep dev confirmed that the change was intentional and will not be reverted. So, we can either build our own Docker image that simply adds a new user and defaults to using it, or allow the existing image to run as root. Preferences?

MegaLinter status: ⚠️ WARNING

See errors details in artifact MegaLinter reports on CI Job page
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

@malexmave I've added the breaking label so that we don't forget to put a note about this root change in the release notes