Container runs as root (no USER instruction)
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
The Dockerfile never sets a USER, so the process runs as root. A container escape or app compromise then starts with root in the container. Set a dedicated non-root user for the final stage.
Why it matters
With no USER instruction the container process runs as root. If the app is compromised or a container escape is found, the attacker starts as root inside the container, which removes a layer of defense and can make host-level escapes easier.
How to fix it
Create or use a non-root user and switch to it before the process starts: create the user (or use one the base image ships, like node), chown the paths it needs, then add USER in the final stage. Make sure the app does not require binding to a port below 1024 as non-root.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo