---
title: Last user is root
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Last user is root
---

# Last user is root

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae`

**Cloud Provider:** Dockerfile

**Platform:** Dockerfile

**Severity:** High

**Category:** Best Practices

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.docker.com/engine/reference/builder/#user)

### Description{% #description %}

Containers must not run their final process as root because running as root increases the impact of a compromise and can enable privilege escalation or container-to-host attacks.

This rule checks the Dockerfile `USER` instruction and flags Dockerfiles whose last `USER` is set to `root`. The final `USER` must be a non-root username or UID.

If root is required for build-time actions, perform those steps earlier (for example, in a build stage), then create a non-root user and set `USER` to that account before the final `CMD`/`ENTRYPOINT`.

Secure example that switches to a non-root user before runtime:

```dockerfile
FROM node:18 AS build
RUN npm ci && npm run build

FROM node:18-slim
WORKDIR /app
COPY --from=build /app/dist .
RUN addgroup --system app && adduser --system --ingroup app app
USER app
CMD ["node", "server.js"]
```

## Compliant Code Examples{% #compliant-code-examples %}

```dockerfile
FROM alpine:2.6
USER root
RUN npm install
USER guest
```

```dockerfile
FROM golang:1.16 AS builder
WORKDIR /go/src/github.com/foo/href-counter/
RUN go get -d -v golang.org/x/net/html  
COPY app.go    ./
RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .
USER root

FROM alpine:latest  
RUN apk --no-cache add ca-certificates
WORKDIR /root/
COPY --from=builder /go/src/github.com/foo/href-counter/app ./
CMD ["./app"]
RUN useradd -ms /bin/bash patrick

USER patrick
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```dockerfile
FROM alpine:2.6
USER root
RUN npm install
```