F-2025-0008·configuration

Docker image runs as root user

Fixedtypescriptwidgetrouter-api
TL;DR

The application's Docker image ran as the root user, increasing the blast radius if a container escape or remote-code-execution issue is ever found.

Severity
LOW
Impact
LOW
Likelihood
LOW
Method
MManual review
CAT.
Complexity
LOW
Exploitability
LOW
02Section · Description

Description

The Dockerfile did not specify a non-root user. The container ran as root by default, increasing the impact of any container escape or RCE issue inside the application.

03Section · Recommendation

Recommendation

Add a USER directive in the Dockerfile to drop privileges to a non-root user before the application starts. Combine with Kubernetes securityContext settings (see L-04) to enforce the constraint at runtime.

Initia: Resolved. Pashov Audit Group: Resolved.

Status
Fixed
Fix commit
de9d3602dc1a
Fix date
2025-06-23
ZEALYNX SECURITY · published 2025-06-23
F-2025-0008