Docker container runs as root
Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
No USER instruction was found in the Dockerfile, so the container runs as root by default.
Why it matters
A container with no USER instruction runs your app as root, so any code execution bug in the app hands the attacker root inside the container. Combined with a kernel exploit, a mounted docker socket, or an over-privileged runtime, that becomes root on the host. Dropping to a non-root user is a one-time Dockerfile change that removes a whole class of escalation.
How to fix it
Use the non-root user your base image already provides where possible: official node images ship a "node" user, so add USER node before CMD. On slim or distroless Python images, create one: RUN useradd --create-home appuser, then USER appuser. Make sure the app directory and any writable paths are owned by that user (COPY --chown=appuser:appuser or a chown in the same RUN), and if the app listened on a port below 1024, move it to a high port like 8080.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo