diff --git a/content/scout/policy/_index.md b/content/scout/policy/_index.md index 4cef8ce99b..eef7437c44 100644 --- a/content/scout/policy/_index.md +++ b/content/scout/policy/_index.md @@ -61,6 +61,7 @@ Docker Scout ships the following out-of-the-box policies: - [High-profile vulnerabilities](#high-profile-vulnerabilities) - [Supply chain attestations](#supply-chain-attestations) - [Quality gates passed](#quality-gates-passed) +- [Default non-root user](#default-non-root-user) Policies are enabled by default for Scout-enabled repositories. If you want to customize the criteria of a policy, you can create custom policies based on the @@ -214,3 +215,27 @@ in the CLI. > is enabled. Docker Scout doesn't have access to historic evaluations. Trigger > a SonarQube analysis and policy evaluation after enabling the integration to > view the results in Docker Scout. + +### Default non-root user + +By default, containers run as the `root` superuser with full system +administration privileges inside the container, unless the Dockerfile specifies +a different default user. Running containers as a privileged user weakens their +runtime security, as it means any code that runs in the container can perform +administrative actions. + +The **Default non-root user** policy detects images that are set to run as the +default `root` user. To comply with this policy, images must specify a non-root +user in the image configuration. Images violate this policy if they don't +specify a non-root default user for the runtime stage. + +> **Note** +> +> This policy only checks for the default user of the image, as set in the +> image configuration blob. Even if you do specify a non-root default user, +> it's still possible to override the default user at runtime, for example by +> using the `--user` flag for the `docker run` command. + +To make your images compliant with this policy, use the +[`USER`](../../engine/reference/builder.md#user) Dockerfile instruction to set +a default user that doesn't have root privileges for the runtime stage.