{"id":"GHSA-jrm4-4pcf-4763","summary":"ciguard: Container image runs as root (no USER directive)","details":"## Summary\n\nThe published `ghcr.io/jo-jo98/ciguard` container image inherits the default root user because the `Dockerfile` lacks a `USER` directive. ciguard is a static analyser with no need for root privileges; running as root inside a container makes any future container-runtime escape CVE more impactful than it needs to be.\n\n## Threat scenario\n\nDefence-in-depth gap. Without a known container-runtime CVE in the chain, this finding is not directly exploitable. Recent runc CVEs (e.g. CVE-2024-21626) provided escape primitives that depended on host UID = container UID = 0 for full impact; with this fix, any future such escape primitive lands as a non-root user on the host.\n\n## Patch\n\n- Dockerfile adds `RUN groupadd -r ciguard && useradd -r -g ciguard -d /home/ciguard -m -s /usr/sbin/nologin ciguard && chown -R ciguard:ciguard /reports /policies-mount /app`.\n- Followed by `USER ciguard` before the `CMD` directive.\n- Trivy DS-0002 misconfig clears (`Tests: 20 SUCCESSES: 20 FAILURES: 0`).\n\n## Discovery\n\nFound by Trivy filesystem scan during ciguard's first self-conducted pentest cycle, 2026-04-26.\n\n## CVSS Scoring\n\n- CVSS v3.1: `CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N` — 2.0 (Low)\n- CVSS v4.0: `CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N` — 3.4 (Low) per Cycle 1 report; GitHub's calc 1.8 (Low). Both Low.\n\n## Verification\n\n```\n$ docker run --rm ghcr.io/jo-jo98/ciguard:v0.8.2 id\nuid=999(ciguard) gid=999(ciguard) groups=999(ciguard)\n```\n\n## References\n\n- Fix released in [v0.8.2](https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.2)\n- CI regression gate added in [v0.8.3](https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.3)\n- https://www.cve.org/CVERecord?id=CVE-2026-44218","aliases":["CVE-2026-44218"],"modified":"2026-05-16T00:08:49.968758Z","published":"2026-05-05T22:18:15Z","database_specific":{"github_reviewed_at":"2026-05-05T22:18:15Z","github_reviewed":true,"severity":"LOW","cwe_ids":["CWE-269"],"nvd_published_at":"2026-05-12T20:16:42Z"},"references":[{"type":"WEB","url":"https://github.com/Jo-Jo98/ciguard/security/advisories/GHSA-jrm4-4pcf-4763"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44218"},{"type":"PACKAGE","url":"https://github.com/Jo-Jo98/ciguard"},{"type":"WEB","url":"https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.2"},{"type":"WEB","url":"https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.3"}],"affected":[{"package":{"name":"ciguard","ecosystem":"PyPI","purl":"pkg:pypi/ciguard"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0.1.0"},{"fixed":"0.8.2"}]}],"versions":["0.1.0","0.1.1","0.1.2","0.1.3","0.1.4","0.2.0","0.2.1","0.3.0","0.4.0","0.4.1","0.5.0","0.6.0","0.6.1","0.7.0","0.8.1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-jrm4-4pcf-4763/GHSA-jrm4-4pcf-4763.json","last_known_affected_version_range":"\u003c= 0.8.1"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"}]}