Skip to main content

PG007: Use explicit UID/GID for container users

Warning Security

Why This Matters

When useradd is called without -u (or --uid), the system auto-assigns the next available UID. Similarly, groupadd without -g (or --gid) auto-assigns the next GID. These IDs are non-deterministic. They depend on the order of package installations and other system users created earlier in the build. Rebuild the image after a base image update and the UID may change, breaking file ownership on persistent volumes. In Kubernetes, a mismatch between the image UID and securityContext.runAsUser causes permission errors at startup. Use explicit IDs above 10000 to avoid collisions with host system users and Linux reserved ranges.

How to Fix

Specify explicit UID and GID using -u/-g flags. Use values above 10000 to avoid conflicts with system and host users.

Before (incorrect)

RUN groupadd appgroup
RUN useradd appuser

After (correct)

ARG uid=10001
ARG gid=10001
RUN groupadd -g ${gid} appgroup && \
    useradd -u ${uid} -g appgroup -s /bin/false appuser
USER appuser

Rule Details

Rule Code
PG007
Severity
Warning
Category
Security

Related Rules

DL3020 Error

Use COPY instead of ADD for files and folders
DL3004 Error

Do not use sudo
DL3061 Error

Dockerfile should start with FROM or ARG
PG001 Error

Secrets detected in ENV or ARG
PG002 Error

Avoid piping remote scripts to shell