Strategies for detecting running services as root in images?

This is perhaps a high-level question.

Docker typically runs as root, but the typical advice for running server-side applications is not to have them run as root.

It’s certainly possible to follow that advice in the images we build, perhaps by using the “USER” command in a Dockerfile.

Are there any convenient mechanisms or strategies for “enforcing” this policy, or even to detect that it’s not being followed, in general?

Obviously, this can be done on an individual basis, through manual code review or inspection.

I believe that at least one of the commercial Docker server products has something like a “security scan”, but I don’t know if there’s a provision for customizable policy checking and enforcement.