Most Docker containers are running as root.
FROM node:20-alpine
WORKDIR /app
COPY . .
CMD ["node", "server.js"]
This works.
But your app is running with root privileges inside the container.
“If it’s in a container, it’s safe.”
Not exactly.
If your app gets compromised, that’s root access inside the container.
And if there’s ever a container escape or misconfiguration, that risk becomes much bigger than it should be.
The fix
FROM node:20-alpine
WORKDIR /app
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
COPY --chown=appuser:appgroup . .
USER appuser
CMD ["node", "server.js"]
Now your app runs as a non-root user.
Some base images already provide this.
Node has a built-in node user you can switch to.
This is one of those small changes that
• Improves security immediately
• Costs almost nothing to implement
• Gets ignored in most projects
Containers are not an excuse to ignore security basics.
Don’t run everything as root.
Let's connect on LinkedIn
Top comments (0)