Skip to main content
Final stage creates a user but never switches to it.

Description

This rule detects Dockerfiles where the final stage (or its FROM ancestry chain) creates a dedicated user via useradd or adduser, but the effective runtime identity stays root and no privilege-drop entrypoint pattern is detected. This is a high-signal indicator of an incomplete hardening attempt or cargo-culted user setup. On Windows containers, the rule also detects net user /add and New-LocalUser commands. The USER instruction sets the default process identity for the container at runtime. Creating a user without switching to it means the container runs as root despite the preparation work.

Suppression

The rule is automatically suppressed when:
  • The effective USER in the final stage is non-root.
  • A privilege-drop tool is referenced in ENTRYPOINT or CMD (gosu, su-exec, suexec, setpriv).
  • The base image is known to default to non-root: Distroless :nonroot tags, Chainguard/cgr.dev images, or local stage refs whose parent stage sets a non-root USER.
  • The created user is referenced in an ownership or permissions context:
    • Linux: COPY --chown, ADD --chown, or RUN chown
    • Windows: icacls /grant <user>, icacls /setowner <user>, New-Object ...AccessRule("<user>", ...)
    This indicates deliberate permissions orchestration rather than a forgotten step.

Cross-stage inheritance

The rule walks the FROM <stage> ancestry chain. If a parent stage creates a user that flows into the final image (via FROM), the rule detects it. User creation in stages referenced only by COPY --from does not trigger the rule, since COPY does not inherit /etc/passwd.

Relationship to other rules

The rules are complementary and may fire on the same Dockerfile. Neither suppresses the other.

Auto-fix

The rule offers an unsafe auto-fix (requires --fix-unsafe) that inserts USER <created_user> before the first ENTRYPOINT or CMD in the final stage. The fix is marked unsafe because:
  • Subsequent instructions might require root.
  • A privilege-drop pattern (gosu) might be more appropriate.
  • The inserted USER might not be the correct resolution in all cases.

References

Examples

Bad

Good

Configuration