Docker image runs as root; no non-root user defined

- **Context**: Cloud
- **Category**: Vulnerability (Container Privilege Escalation)
- **Severity**: Medium

**Evidence**

```dockerfile
# Dockerfile
FROM node:20-alpine
RUN corepack enable && ...
WORKDIR /app
COPY ...
RUN pnpm run build
EXPOSE 3000
CMD ["pnpm", "start"]
```

No `USER` directive is present. The Node.js process runs as **root (UID 0)** inside the container. If the application is compromised (e.g., via RCE through a dependency vulnerability), the attacker has full root access to the container filesystem, including all environment variables, mounted secrets (`dot_env`), and potentially the container runtime socket if it is mounted.

**Affected files**: `Dockerfile`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Docker image runs as root; no non-root user defined #42

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Docker image runs as root; no non-root user defined #42

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions