From fea5253efabdc625502c65aaa6aa096988b2450f Mon Sep 17 00:00:00 2001
From: David Karlsson <35727626+dvdksn@users.noreply.github.com>
Date: Mon, 15 Jan 2024 15:39:53 +0100
Subject: [PATCH] scout(policy): diff compliant/non-compliant Dockerfile,
 non-root user

Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
---
 content/scout/policy/_index.md | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/content/scout/policy/_index.md b/content/scout/policy/_index.md
index 6b81873e75..66c1780c0d 100644
--- a/content/scout/policy/_index.md
+++ b/content/scout/policy/_index.md
@@ -239,3 +239,36 @@ specify a non-root default user for the runtime stage.
 To make your images compliant with this policy, use the
 [`USER`](../../engine/reference/builder.md#user) Dockerfile instruction to set
 a default user that doesn't have root privileges for the runtime stage.
+
+The following Dockerfile snippets shows the difference between a compliant and
+non-compliant image.
+
+{{< tabs >}}
+{{< tab name="Non-compliant" >}}
+
+```dockerfile
+FROM alpine AS builder
+COPY Makefile ./src /
+RUN make build
+
+FROM alpine AS runtime
+COPY --from=builder bin/production /app
+ENTRYPOINT ["/app/production"]
+```
+
+{{< /tab >}}
+{{< tab name="Compliant" >}}
+
+```dockerfile {hl_lines=7}
+FROM alpine AS builder
+COPY Makefile ./src /
+RUN make build
+
+FROM alpine AS runtime
+COPY --from=builder bin/production /app
+USER nonroot
+ENTRYPOINT ["/app/production"]
+```
+
+{{< /tab >}}
+{{< /tabs >}}