generic.dockerfile.security.last-user-is-root.last-user-is-root

Community Favorite

returntocorp

Author

76,978

Download Count*

License

The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: last-user-is-root
    patterns:
      - pattern: USER root
      - pattern-not-inside: |
          USER root
          ...
          USER $ANYTHING
    message: The last user in the container is 'root'. This is a security hazard
      because if an attacker gains control of the container they will have root
      access. Switch back to another user after running commands as 'root'.
    severity: ERROR
    languages:
      - dockerfile
    metadata:
      cwe:
        - "CWE-269: Improper Privilege Management"
      source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3002
      references:
        - https://github.com/hadolint/hadolint/wiki/DL3002
      category: security
      technology:
        - dockerfile
      confidence: MEDIUM
      owasp:
        - A04:2021 - Insecure Design
      subcategory:
        - audit
      likelihood: MEDIUM
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

last-user-is-root.dockerfile

FROM busybox

# ruleid: last-user-is-root
USER root
RUN git clone https://github.com/returntocorp/semgrep
RUN pip3 install semgrep
RUN semgrep -f p/xss
# USER swuser

Short Link: https://sg.run/N461