Run the process with least privilege, not as root

Run the process with least privilege, not as root | BeforeMerge Rules | BeforeMerge

Why this matters

If the process is exploited, the attacker inherits its privileges. Running as root means a single bug can own the entire machine. A dedicated low-privilege user contains the blast radius.

# Bad: container runs as root by default
 
# Good: drop to a non-root user
RUN addgroup -S app && adduser -S app -G app
USER app

Why This Matters

Related Rules

Catch this automatically on every PR

Why this matters