generic.dockerfile.security.missing-user.missing-user

profile photo of returntocorpreturntocorp
Author
225
Download Count*
LGPL Commons Clause
License

By not specifying a USER, a programs in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: missing-user
    patterns:
      - pattern-either:
          - pattern: CMD ...
          - pattern: ENTRYPOINT ...
      - pattern-not-inside: |
          USER $USER
          ...
          ...
    message: By not specifying a USER, a programs in the container may run as
      'root'. This is a security hazard. If an attacker can control a process
      running as root, they may have control over the container. Ensure that the
      last USER in a Dockerfile is a USER other than 'root'.
    severity: ERROR
    languages:
      - generic
    paths:
      include:
        - "*Dockerfile*"
        - "*dockerfile*"
    metadata:
      category: security
      technology:
        - dockerfile
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

missing-user.dockerfile

M busybox


RUN git clone https://github.com/returntocorp/semgrep
RUN pip3 install semgrep
# ruleid: missing-user
CMD semgrep -f p/xss



















FROM alpine
USER root
RUN apk install curl
USER root
# ok: missing-user
CMD ["ls -ltr"]




















FROM alpine
USER root
RUN apk install curl
USER daemon
# ok: missing-user
CMD ["ls -ltr"]




















FROM alpine
USER root
RUN apk install curl
USER daemon
USER root
# ok: missing-user
CMD ["ls -ltr"]