dockerfile.security.missing-user-entrypoint.missing-user-entrypoint

semgrep

Author

unknown

Download Count*

License

By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: missing-user-entrypoint
    patterns:
      - pattern: |
          ENTRYPOINT $...VARS
      - pattern-not-inside: |
          USER $USER
          ...
    fix: |
      USER non-root
      ENTRYPOINT $...VARS
    message: By not specifying a USER, a program in the container may run as 'root'.
      This is a security hazard. If an attacker can control a process running as
      root, they may have control over the container. Ensure that the last USER
      in a Dockerfile is a USER other than 'root'.
    severity: ERROR
    languages:
      - dockerfile
    metadata:
      cwe:
        - "CWE-269: Improper Privilege Management"
      category: security
      technology:
        - dockerfile
      confidence: MEDIUM
      owasp:
        - A04:2021 - Insecure Design
      references:
        - https://owasp.org/Top10/A04_2021-Insecure_Design
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authorization

Examples

missing-user-entrypoint.dockerfile

FROM busybox

# uncomment for ok
#USER notroot

RUN git clone https://github.com/returntocorp/semgrep
RUN pip3 install semgrep

# ruleid: missing-user-entrypoint
ENTRYPOINT semgrep -f p/xss

# TODO: metavar bug
# ok: missing-user-entrypoint
ENTRYPOINT ["semgrep", "--config", "localfile", "targets"]

Short Link: https://sg.run/k281