Docker Container Runs As Root
Description
Identifies Docker containers configured to run with root user privileges. Running containers as root grants excessive permissions that could be exploited by attackers to gain full system access if the container is compromised. This violates the principle of least privilege.
Detection Strategy
• Scans Dockerfile content line by line
• Identifies 'USER' directive declarations
• Flags any instance where 'USER root' is explicitly set
• Reports vulnerability only if the last USER directive in the file specifies root
• Does not flag Dockerfiles with no USER directive or non-root users
Vulnerable code example
FROM ubuntu:20.04
# Vulnerable: Explicitly setting root user gives container unnecessary privileges
USER root
RUN apt-get update✅ Secure code example
FROM ubuntu:20.04
# Use noninteractive frontend to prevent prompts
ARG DEBIAN_FRONTEND=noninteractive
# Keep root only for system setup and cleanup after
RUN apt-get update && \
apt-get install -y --no-install-recommends && \...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.