Final USER is root
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A USER instruction exists but the last one switches back to root (or UID 0), so the running container is root despite the earlier drop. The effective user is the one that matters.
Why it matters
A later USER root undoes an earlier drop to a non-root user, so the container ends up running as root regardless of the earlier instruction. The effective user is the last one set, and that is what the running process gets.
How to fix it
End the final stage on the non-root user. If a build step genuinely needs root (installing packages, chown), do it, then switch back to the non-root user with a final USER instruction before CMD/ENTRYPOINT.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo