DockerScout Non default user policy issue

Image Builds Docker Build Cloud
,
1

Hello!

Writing here after googling arround with the following issue:
I have the following docker file (I will simplify it a bit):

# syntax=docker/dockerfile:1
FROM ubuntu:20.04

RUN adduser --disabled-password --gecos "" nonrootuser  &&  \
  usermod -u 1000 nonrootuser && \
  groupmod -g 1000 nonrootuser

RUN --mount=type=cache,target=/var/cache/apt \
  --mount=type=cache,target=/var/lib/apt \
  apt-get update && apt-get install -y --no-install-recommends \
  ca-certificates \
  ninja-build \
  ...

WORKDIR /tmp

RUN git clone --recurse-submodules --depth 1 --shallow-submodules https://github.com/mycompany/myproject.git .

WORKDIR /tmp/myproject
RUN cmake -S . -B build \
  cmake --build build --config Release  && \
  cmake --build build --target install

USER nonrootuser
WORKDIR /home/nonrootuser

Which after pushing to dockerhub and scanning it with DockerScout results in 6/7 compliant policies, being the “Default non-root user” policy not compliant. First, I don’t understand why this is possible, given that I set the non root user as last.

Second, I have this other dockerfile:

# syntax=docker/dockerfile:1
FROM ubuntu:20.04 AS ubuntu-arm64
ENV SYSTEM_LIBS_PATH=/usr/lib/aarch64-linux-gnu

FROM ubuntu:20.04 AS ubuntu-x86_64
ENV SYSTEM_LIBS_PATH=/usr/lib/x86_64-linux-gnu

FROM ubuntu:20.04 AS ubuntu-amd64
ENV SYSTEM_LIBS_PATH=/usr/lib/x86_64-linux-gnu

ARG TARGETARCH
FROM ubuntu-${TARGETARCH}

USER root

RUN adduser --disabled-password --gecos "" nonrootuser  && usermod -u 1000 nonrootuser && groupmod -g 1000 nonrootuser

RUN apt-get update && apt-get upgrade -y && apt-get install -yqq --fix-missing --no-install-recommends \
    python3 \
....

RUN ldconfig

USER nonrootuser
WORKDIR /home/nonrootuser

This image, however, does complain with all the 7 policies… What I am missing? Is there a bug or something on docker scout?

Hope someone can shed some light on this issue :slight_smile:

Thanks in advance!

2

I couldn’t reproduce this behavior. Can you share the output of the policy checking?

3

This is the output of the following command: $ docker scout quickview myorg/image:latest --org myorg --output report.txt

Image 1

  Target             │  myorg/builder.base:v2  │    0C     5H   968M    61L   
    digest           │  92078e4352d6                           │                              
  Base image         │  ubuntu:20.04                           │    0C     0H     3M    12L   
  Updated base image │  ubuntu:25.04                           │    0C     0H     0M     0L   
                     │                                         │                  -3    -12   

Policy status  FAILED  (6/7 policies met)

  Status │                   Policy                    │           Results            
─────────┼─────────────────────────────────────────────┼──────────────────────────────
  !      │ No default non-root user found              │                              
  ✓      │ No AGPL v3 licenses                         │    0 packages                
  ✓      │ No fixable critical or high vulnerabilities │    0C     0H     0M     0L   
  ✓      │ No high-profile vulnerabilities             │    0C     0H     0M     0L   
  ✓      │ No outdated base images                     │                              
  ✓      │ No unapproved base images                   │    0 deviations              
  ✓      │ Supply chain attestations                   │    0 deviations

Image 2

  Target             │  myorg/base.ubuntu:latest  │    0C     0H     3M    12L   
    digest           │  8bf83a61f4cc                              │                              
  Base image         │  ubuntu:20.04                              │    0C     0H     3M    12L   
  Updated base image │  ubuntu:25.04                              │    0C     0H     0M     0L   
                     │                                            │                  -3    -12   

Policy status  SUCCESS  (7/7 policies met)

  Status │                   Policy                    │           Results            
─────────┼─────────────────────────────────────────────┼──────────────────────────────
  ✓      │ Default non-root user                       │                              
  ✓      │ No AGPL v3 licenses                         │    0 packages                
  ✓      │ No fixable critical or high vulnerabilities │    0C     0H     0M     0L   
  ✓      │ No high-profile vulnerabilities             │    0C     0H     0M     0L   
  ✓      │ No outdated base images                     │                              
  ✓      │ No unapproved base images                   │    0 deviations              
  ✓      │ Supply chain attestations                   │    0 deviations

This is the result of doing: docker inspect myorg/image:tag | grep -b10 -a10 User

Image 1

207-            "myorg/builder.base@sha256:2fd1a3f2adf56cf0ddae42325f397b8ab6b2ff098965e13a883f469611c47d21"
328-        ],
339-        "Parent": "",
361-        "Comment": "buildkit.dockerfile.v0",
406-        "Created": "2025-02-07T17:43:36.790818584Z",
459-        "DockerVersion": "",
488-        "Author": "",
510-        "Config": {
530-            "Hostname": "",
558-            "Domainname": "",
588:            "User": "nonrootuser",
620-            "AttachStdin": false,
654-            "AttachStdout": false,
689-            "AttachStderr": false,
724-            "Tty": false,
750-            "OpenStdin": false,
782-            "StdinOnce": false,
814-            "Env": [
835-                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/install/bin",
955-                "CONTAINER_TIMEZONE=Europe/Rome",
1005-                "LD_LIBRARY_PATH=/install/lib",

Image 2

210-            "myorg/base.ubuntu@sha256:43a9976ba7d2ef7a190fcbf065914b2716bb852c5c98d253684c913981ec705c"
330-        ],
341-        "Parent": "",
363-        "Comment": "buildkit.dockerfile.v0",
408-        "Created": "2025-02-06T09:13:09.922648285Z",
461-        "DockerVersion": "",
490-        "Author": "",
512-        "Config": {
532-            "Hostname": "",
560-            "Domainname": "",
590:            "User": "nonrootuser",
622-            "AttachStdin": false,
656-            "AttachStdout": false,
691-            "AttachStderr": false,
726-            "Tty": false,
752-            "OpenStdin": false,
784-            "StdinOnce": false,
816-            "Env": [
837-                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/install/bin",
935-                "SYSTEM_LIBS_PATH=/usr/lib/x86_64-linux-gnu",
997-                "CONTAINER_TIMEZONE=Europe/Rome",

Let me know if this is what you are looking for.

Thanks in advance!

4

Thank you. I didn’t actually know what I was looking for. I hoped I would catch something in the outputs, but I don’t.

When I don’t know what causes an issue, I usually start do delete instructions in the Dockerfile until I have a very basic, minimal Dockerfile which can still reproduce the same issue. If it doesn’t at some point, I know what line caused the problem and I know what I need to report as bug if it is a bug.

Can you try that?

PS.: Sorry, I reply slower recently.

5

Sure, I will try that.

On the other hand, sometimes it happens that the same image but built for arm64 and amd64, have different results for this particular policy.

Both images are being built concurrently, using the cloud builder. The command is the following:

docker buildx build --no-cache --push --platform=linux/arm64,linux/amd64 -f Dockerfile --ssh=default --sbom=true --provenance=true -t myorg/imagename:latest .
6

Unfortunately, I couldn’t find the error.

The same image built twice, it results in a non-compliant image once, and a compliant image the second time. For now I have disabled the policy, since the image is not used as final, but as base to build what I need to build.

Thanks anyway.