lintai docs

Appearance

Rule Reference

SEC747lintai-ai-securitystabledockerfilewarn

Dockerfile: final stage runs as root

Dockerfile final stage explicitly runs as root

Provider
lintai-ai-security
Surface
dockerfile
Scope
per_file
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

supply-chainmembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks the final Dockerfile stage for an explicit root runtime user while ignoring earlier build stages that later drop privileges.

Deterministic signal basis

DockerfileSignals tracks `FROM` stage boundaries and the effective explicit `USER` in the final stage, flagging only `root`, `root:*`, `0`, or `0:*` in the last stage.

Malicious corpus
dockerfile-final-stage-root-user
Benign corpus
dockerfile-final-stage-nonroot-user
structured evidence required remediation reviewed
Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC746Dockerfile: remote script execution in RUNDockerfile RUN downloads remote code and executes itdockerfilestable
SEC749Dockerfile: mutable registry image in FROMDockerfile FROM uses a mutable registry image without a digest pindockerfilestable
SEC751Dockerfile: latest or implicit-latest base image tagDockerfile FROM uses a latest or implicit-latest image tagdockerfilestable

Why It Matters

Running the final image stage as root expands the blast radius of a container escape, file-write bug, or compromised process. It also makes least-privilege review harder for published build artifacts.

What Triggers

SEC747 tracks FROM stage boundaries and the effective explicit USER in the final stage. It matches only when the last stage ends with an explicit root user such as USER root, USER root:root, USER 0, or USER 0:0.

False Positives

Earlier build stages may legitimately use root while preparing artifacts. This rule intentionally ignores those stages when the final runtime stage drops privileges to a non-root user.

Remediation

Create a dedicated runtime user in the final stage and switch to it with USER app, USER nonroot, or another reviewed non-root account before the image entrypoint runs.