ciguard: Container image runs as root (no USER directive)

GHSA-jrm4-4pcf-4763 · CVE-2026-44218

Published May 5, 2026 · Modified May 16, 2026

Description

Summary

The published ghcr.io/jo-jo98/ciguard container image inherits the default root user because the Dockerfile lacks a USER directive. ciguard is a static analyser with no need for root privileges; running as root inside a container makes any future container-runtime escape CVE more impactful than it needs to be.

Threat scenario

Defence-in-depth gap. Without a known container-runtime CVE in the chain, this finding is not directly exploitable. Recent runc CVEs (e.g. CVE-2024-21626) provided escape primitives that depended on host UID = container UID = 0 for full impact; with this fix, any future such escape primitive lands as a non-root user on the host.

Patch

Dockerfile adds RUN groupadd -r ciguard && useradd -r -g ciguard -d /home/ciguard -m -s /usr/sbin/nologin ciguard && chown -R ciguard:ciguard /reports /policies-mount /app.
Followed by USER ciguard before the CMD directive.
Trivy DS-0002 misconfig clears (Tests: 20 SUCCESSES: 20 FAILURES: 0).

Discovery

Found by Trivy filesystem scan during ciguard's first self-conducted pentest cycle, 2026-04-26.

CVSS Scoring

CVSS v3.1: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N — 2.0 (Low)
CVSS v4.0: CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N — 3.4 (Low) per Cycle 1 report; GitHub's calc 1.8 (Low). Both Low.

Verification

$ docker run --rm ghcr.io/jo-jo98/ciguard:v0.8.2 id
uid=999(ciguard) gid=999(ciguard) groups=999(ciguard)

References

Fix released in v0.8.2
CI regression gate added in v0.8.3
https://www.cve.org/CVERecord?id=CVE-2026-44218

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes