dockerfile.security.missing-user.missing-user

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: missing-user
    patterns:
      - pattern: |
          CMD $...VARS
      - pattern-not-inside: |
          USER $USER
          ...
    fix: |
      USER non-root
      CMD $...VARS
    message: By not specifying a USER, a program in the container may run as 'root'.
      This is a security hazard. If an attacker can control a process running as
      root, they may have control over the container. Ensure that the last USER
      in a Dockerfile is a USER other than 'root'.
    severity: ERROR
    languages:
      - dockerfile
    metadata:
      cwe:
        - "CWE-269: Improper Privilege Management"
      category: security
      technology:
        - dockerfile
      confidence: MEDIUM
      owasp:
        - A04:2021 - Insecure Design
      references:
        - https://owasp.org/Top10/A04_2021-Insecure_Design
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authorization

Examples

missing-user.dockerfile

FROM busybox

# uncomment for ok
#USER notroot

RUN git clone https://github.com/returntocorp/semgrep
RUN pip3 install semgrep

# ruleid: missing-user
CMD semgrep -f p/xss

# ruleid: missing-user
CMD semgrep --config localfile targets

# TODO: metavar ellipses bug
# ok: missing-user
CMD ["semgrep", "--version"]