---
title: Run using sudo
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Run using sudo
---

# Run using sudo

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `8ada6e80-0ade-439e-b176-0b28f6bce35a`

**Cloud Provider:** Dockerfile

**Platform:** Dockerfile

**Severity:** Medium

**Category:** Insecure Configurations

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.docker.com/engine/reference/builder/#run)

### Description{% #description %}

Including the `sudo` command in Dockerfile `RUN` instructions is a misconfiguration because Docker build steps typically run as root and `sudo` is unnecessary. Using `sudo` can mask incorrect privilege assumptions and lead to fragile builds, unexpected file ownership, or build-time failures when `sudo` is not available.

This rule flags Dockerfile `RUN` instructions that contain the literal `sudo`, either as the first token or anywhere in the command value. `RUN` instructions must omit `sudo`. Fix by invoking commands directly during build or by switching to a non-root user with the `USER` directive and correcting permissions with `chown` where appropriate.

```Dockerfile
FROM ubuntu:22.04
RUN apt-get update && apt-get install -y curl

# If commands must run as a non-root user:
USER appuser
RUN mkdir -p /app && chown appuser:appuser /app
```

## Compliant Code Examples{% #compliant-code-examples %}

```dockerfile
FROM alpine:3.5
RUN apk add --update py2-pip
RUN pip install --upgrade pip
RUN apt-get install sudo
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```dockerfile
FROM alpine:3.5
RUN apk add --update py2-pip
RUN sudo pip install --upgrade pip
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]
```