ciguard: Container image runs as root (no USER directive)

## Summary The published `ghcr.io/jo-jo98/ciguard` container image inherits the default root user because the `Dockerfile` lacks a `USER` directive. ciguard is a static analyser with no need for root privileges; running as root inside a container makes any future container-runtime escape CVE more impactful than it needs to be. ## Threat scenario Defence-in-depth gap. Without a known container-runtime CVE in the chain, this finding is not directly exploitable. Recent runc CVEs (e.g. CVE-2024-21626) provided escape primitives that depended on host UID = container UID = 0 for full impact; with this fix, any future such escape primitive lands as a non-root user on the host. ## Patch - Dockerfile adds `RUN groupadd -r ciguard && useradd -r -g ciguard -d /home/ciguard -m -s /usr/sbin/nologin ciguard && chown -R ciguard:ciguard /reports /policies-mount /app`. - Followed by `USER ciguard` before the `CMD` directive. - Trivy DS-0002 misconfig clears (`Tests: 20 SUCCESSES: 20 FAILURES: 0`). ## Discovery Found by Trivy filesystem scan during ciguard's first self-conducted pentest cycle, 2026-04-26. ## CVSS Scoring - CVSS v3.1: `CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N` — 2.0 (Low) - CVSS v4.0: `CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N` — 3.4 (Low) per Cycle 1 report; GitHub's calc 1.8 (Low). Both Low. ## Verification ``` $ docker run --rm ghcr.io/jo-jo98/ciguard:v0.8.2 id uid=999(ciguard) gid=999(ciguard) groups=999(ciguard) ``` ## References - Fix released in [v0.8.2](https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.2) - CI regression gate added in [v0.8.3](https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.3) - https://www.cve.org/CVERecord?id=CVE-2026-44218