Skip to main content

DL3002: Last USER should not be root

Warning Security

Why This Matters

Running a container as root gives the process full host-level privileges if it escapes the container. A vulnerability in your application could grant an attacker root access to the host, which is why this is one of the most critical security risks in containerized workloads. Always switch to a non-root user after performing root-only setup tasks.

How to Fix

Add a non-root USER instruction at the end of the Dockerfile

Before (incorrect)

USER root
CMD ["node", "server.js"]

After (correct)

USER node
CMD ["node", "server.js"]

Rule Details

Rule Code
DL3002
Severity
Warning
Category
Security

Related Rules

DL3020 Error

Use COPY instead of ADD for files and folders
DL3004 Error

Do not use sudo
DL3061 Error

Dockerfile should start with FROM or ARG
PG001 Error

Secrets detected in ENV or ARG
PG002 Error

Avoid piping remote scripts to shell