Explain explicit property in default non-root user policy (#19108)

* Explain explicit property in default non-root user policy * Apply suggestions from code review Co-authored-by: David Karlsson <35727626+dvdksn@users.noreply.github.com> --------- Co-authored-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
2024-01-16 14:25:25 +01:00 · 2024-01-16 14:25:25 +01:00 · 18aa50a82c
parent 8410a7d251
commit 18aa50a82c
1 changed files with 19 additions and 0 deletions
--- a/content/scout/policy/_index.md
+++ b/content/scout/policy/_index.md
@ -229,6 +229,25 @@ default `root` user. To comply with this policy, images must specify a non-root
 user in the image configuration. Images violate this policy if they don't
 specify a non-root default user for the runtime stage.

+For non-compliant images, evaluation results show whether or not the `root`
+user was set explicitly for the image. This helps you distinguish between
+policy violations caused by images where the `root` user is implicit, and
+images where `root` is set on purpose.
+
+The following Dockerfile runs as `root` by default despite not being explicitly set:
+```Dockerfile
+FROM alpine
+RUN echo "Hi"
+```
+
+Whereas in the following case, the `root` user is explicitly set:
+
+```Dockerfile
+FROM alpine
+USER root
+RUN echo "Hi"
+```
+
 > **Note**
 >
 > This policy only checks for the default user of the image, as set in the