Least Privilege Containers

Run containers as non-root users to mitigate container escape risks.

Language / Topic

Docker

Rules

Least Privilege Containers · balanced balanced

- Always specify `USER <non-root-user>` before CMD/ENTRYPOINT

- Use `USER node` for Node.js or create a dedicated user

- Do not run your application as root to prevent container escape vulnerabilities

- Define and switch to a non-root user via `USER <user-name>` as the last step in your Dockerfile

- Set appropriate file permissions with `chown` when copying application code to avoid permission denied errors for the non-root user

- Explicitly set `securityContext.runAsNonRoot: true` in Kubernetes environments if deployed there