| Property | Value |
|---|---|
| Severity | Warning |
| Category | Correctness |
| Default | Enabled |
Description
Detects named (non-numeric) user or group references inUSER instructions or COPY/ADD --chown flags
within stages that lack /etc/passwd or /etc/group. Named identity resolution requires these database
files; without them, the build will fail at RUN time or the runtime will reject the container.
This is a common pitfall in scratch and multi-stage builds that inherit from scratch without copying
the passwd/group databases from a builder stage.
Numeric UIDs/GIDs (e.g., 65532, 1000:1000) work without any passwd database and are the recommended
approach for minimal images.
The rule suppresses after a SHELL instruction, since the user may have bootstrapped tools that handle
identity resolution.
Examples
Bad
Good (numeric IDs)
Good (passwd copied from builder)
Good (non-scratch base image)
Suggested fix
The rule suggests replacing named identities with the numeric UID/GID65532 (the conventional
non-root ID used by distroless and Chainguard images). This fix uses FixSuggestion safety because
the numeric ID may not match the author’s intended user.
Alternatively, copy /etc/passwd and /etc/group from a builder stage that has the desired user.
Related rules
tally/shell-run-in-scratch— detects shell-form RUN in scratch stages (different concern: shell availability vs identity resolution)tally/copy-after-user-without-chown— detects missing--chownafterUSER(complementary: different condition)tally/user-created-but-never-used— detects created users that are never switched to (complementary: different condition)