Files copied root-owned while a non-root USER is set
Part of Architecture & Best Practices, which counts for 15% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
The image switches to a non-root USER but COPY/ADD without --chown leaves files owned by root, so the app user cannot write them and startup or writable-path logic can fail. Heuristic.
Why it matters
The image switches to a non-root user, but files brought in with COPY/ADD are owned by root by default. The app user then cannot modify those paths, which breaks writable directories, cache folders, and some framework startup steps. This is a heuristic based on the presence of a non-root USER.
How to fix it
Set ownership at copy time with COPY --chown=user:group src dst so the files land owned by the runtime user. Only apply it to paths the app needs to own or write; code that stays read-only can remain root-owned intentionally.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo