[GH-ISSUE #752] Security Hardening: Enforce non-root execution (USER) in example Dockerfiles #15521

Closed
opened 2026-06-21 01:19:08 -05:00 by GiteaMirror · 1 comment
Owner

Originally created by @BiosSystem on GitHub (May 30, 2026).
Original GitHub issue: https://github.com/docker/awesome-compose/issues/752

Problem Description

Several Dockerfile examples in the repository do not declare a USER directive. Consequently, the containers run under the default privileged root user context. Standard security benchmarks (such as Hadolint and Docker production-grade hardening guidelines) recommend running container processes as non-root users to mitigate potential security vulnerabilities and limit privilege escalation risk in the event of a container escape.

Affected Examples

  1. vuejs (vuejs/vuejs/Dockerfile)
    • At line 22, a non-root user vscode is created (adduser -S --shell /bin/bash --ingroup docker vscode), but USER vscode is never set, leaving the container execution context as root.
  2. wasmedge-kafka-mysql (wasmedge-kafka-mysql/etl/Dockerfile)
    • The final scratch base container lacks a USER instruction, defaulting execution to root (UID 0) in standard container runtimes.
  3. wasmedge-mysql-nginx (wasmedge-mysql-nginx/backend/Dockerfile)
    • Runs as root without declaring a non-root execution boundary.

Proposed Remediations

  1. For vuejs/vuejs/Dockerfile, add USER vscode after creating the user:
    RUN <<EOF
    addgroup -S docker
    adduser -S --shell /bin/bash --ingroup docker vscode
    EOF
    USER vscode
    
  2. For scratch base images, declare a non-privileged UID:
    FROM scratch
    USER 10001
    COPY --link --from=build /kafka.wasm /kafka.wasm
    ENTRYPOINT [ "kafka.wasm" ]
    
Originally created by @BiosSystem on GitHub (May 30, 2026). Original GitHub issue: https://github.com/docker/awesome-compose/issues/752 ### Problem Description Several Dockerfile examples in the repository do not declare a `USER` directive. Consequently, the containers run under the default privileged `root` user context. Standard security benchmarks (such as Hadolint and Docker production-grade hardening guidelines) recommend running container processes as non-root users to mitigate potential security vulnerabilities and limit privilege escalation risk in the event of a container escape. ### Affected Examples 1. **`vuejs`** (`vuejs/vuejs/Dockerfile`) - At line 22, a non-root user `vscode` is created (`adduser -S --shell /bin/bash --ingroup docker vscode`), but `USER vscode` is never set, leaving the container execution context as root. 2. **`wasmedge-kafka-mysql`** (`wasmedge-kafka-mysql/etl/Dockerfile`) - The final `scratch` base container lacks a `USER` instruction, defaulting execution to root (UID 0) in standard container runtimes. 3. **`wasmedge-mysql-nginx`** (`wasmedge-mysql-nginx/backend/Dockerfile`) - Runs as root without declaring a non-root execution boundary. ### Proposed Remediations 1. For **`vuejs/vuejs/Dockerfile`**, add `USER vscode` after creating the user: ```dockerfile RUN <<EOF addgroup -S docker adduser -S --shell /bin/bash --ingroup docker vscode EOF USER vscode ``` 2. For **`scratch`** base images, declare a non-privileged UID: ```dockerfile FROM scratch USER 10001 COPY --link --from=build /kafka.wasm /kafka.wasm ENTRYPOINT [ "kafka.wasm" ] ```
Author
Owner

@BiosSystem commented on GitHub (May 30, 2026):

Closing as this issue targets example files.

<!-- gh-comment-id:4582562155 --> @BiosSystem commented on GitHub (May 30, 2026): Closing as this issue targets example files.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/awesome-compose#15521