Will It Vibe logoWill It Vibe?
K8S-003High severity-15 points

runAsNonRoot disabled

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

securityContext.runAsNonRoot: false permits the container to run as UID 0, removing a key defense against container escape.

Why it matters

runAsNonRoot: false permits the container to run its process as UID 0. Root inside the container shares the host kernel, so a kernel or runtime bug becomes a path to root on the node. Running as an unprivileged user contains the blast radius of most container vulnerabilities.

How to fix it

Set runAsNonRoot: true and pick a concrete non-zero runAsUser (for example 1000) in the securityContext. Make sure the image actually supports a non-root user: some official images need a numeric USER in the Dockerfile and correct file ownership on writable paths. Test that the process can still read its config and write any directories it needs.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks