Ciguard Container Image Inherits Default Root User Privileges Vulnerability

A vulnerability exists in the Ciguard container image published on ghcr.io/jo-jo98/ciguard, versions 0.1.0 through 0.8.1. The issue arises because the Dockerfile does not include a USER directive, causing the image to run as the default root user. Ciguard, a static security auditor for CI/CD pipelines, does not require root privileges. Running as root increases the risk of a container-runtime escape vulnerability, as demonstrated by recent runc CVEs that exploited such a scenario when the host and container user IDs were both zero. With this vulnerability, any future escape could lead to a non-root user on the host, mitigating the impact.

Impact

Exploiting this vulnerability creates a defense-in-depth gap. While not directly exploitable without a known container-runtime vulnerability, recent runc CVEs have shown that a container-runtime escape could be more impactful if the container runs as root.

Remediation

Users can upgrade to Ciguard version 0.8.2, which addresses this vulnerability by adding a USER directive in the Dockerfile. The latest version can be downloaded from the GitHub Releases page.