Will It Vibe logoWill It Vibe?
DOCKER-019Low severity-4 points

Files copied root-owned while a non-root USER is set

Part of Architecture & Best Practices, which counts for 15% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.

What it detects

The image switches to a non-root USER but COPY/ADD without --chown leaves files owned by root, so the app user cannot write them and startup or writable-path logic can fail. Heuristic.

Why it matters

The image switches to a non-root user, but files brought in with COPY/ADD are owned by root by default. The app user then cannot modify those paths, which breaks writable directories, cache folders, and some framework startup steps. This is a heuristic based on the presence of a non-root USER.

How to fix it

Set ownership at copy time with COPY --chown=user:group src dst so the files land owned by the runtime user. Only apply it to paths the app needs to own or write; code that stays read-only can remain root-owned intentionally.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Architecture & Best Practices checks