Merge pull request #18974 from dvdksn/scout-policy-non-root-user

scout(policy): default user is root

content/scout/policy/_index.md

@@ -61,6 +61,7 @@ Docker Scout ships the following out-of-the-box policies:
 - [High-profile vulnerabilities](#high-profile-vulnerabilities)
 - [Supply chain attestations](#supply-chain-attestations)
 - [Quality gates passed](#quality-gates-passed)
+- [Default non-root user](#default-non-root-user)
 
 Policies are enabled by default for Scout-enabled repositories. If you want to
 customize the criteria of a policy, you can create custom policies based on the
@@ -214,3 +215,27 @@ in the CLI.
 > is enabled. Docker Scout doesn't have access to historic evaluations. Trigger
 > a SonarQube analysis and policy evaluation after enabling the integration to
 > view the results in Docker Scout.
+
+### Default non-root user
+
+By default, containers run as the `root` superuser with full system
+administration privileges inside the container, unless the Dockerfile specifies
+a different default user. Running containers as a privileged user weakens their
+runtime security, as it means any code that runs in the container can perform
+administrative actions. 
+
+The **Default non-root user** policy detects images that are set to run as the
+default `root` user. To comply with this policy, images must specify a non-root
+user in the image configuration. Images violate this policy if they don't
+specify a non-root default user for the runtime stage.
+
+> **Note**
+>
+> This policy only checks for the default user of the image, as set in the
+> image configuration blob. Even if you do specify a non-root default user,
+> it's still possible to override the default user at runtime, for example by
+> using the `--user` flag for the `docker run` command.
+
+To make your images compliant with this policy, use the
+[`USER`](../../engine/reference/builder.md#user) Dockerfile instruction to set
+a default user that doesn't have root privileges for the runtime stage.