...
# trivy:ignore:AVD-DS-0001
# trivy:ignore:AVD-DS-0002
FROM kalilinux/kali-rolling:latest
...
When I run trivy 0.66.0 on Mac, I still get a finding for AVD-DS-0002. Note that this does not happen if I put an explicit USER root statement at the end of my Dockerfile and move the # trivy:ignore:AVD-DS-0002 comment there but I'd rather not do that workaround.
Ignore both AVD-DS-0001 and AVD-DS-0002.
AVD-DS-0001 is successfully ignored but not AVD-DS-0002.
1. Clone the repo https://github.com/leplusorg/docker-kali or download https://github.com/leplusorg/docker-kali/raw/refs/heads/main/kali/Dockerfile
2. Run trivy 0.66.0 like this:
$ trivy filesystem --scanners misconfig kali/Dockerfile
2025-09-09T11:37:59+02:00 INFO [misconfig] Misconfiguration scanning is enabled
2025-09-09T11:37:59+02:00 INFO Detected config files num=1
Report Summary
┌────────────┬────────────┬───────────────────┐
│ Target │ Type │ Misconfigurations │
├────────────┼────────────┼───────────────────┤
│ Dockerfile │ dockerfile │ 1 │
└────────────┴────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
Dockerfile (dockerfile)
Tests: 26 (SUCCESSES: 25, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
See https://avd.aquasec.com/misconfig/ds002
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
### Target
Filesystem
### Scanner
Misconfiguration
### Output Format
Table
### Mode
Standalone
### Debug Output
```bash
$ trivy filesystem --scanners misconfig --debug kali/Dockerfile
2025-09-09T11:43:30+02:00 DEBUG No plugins loaded
2025-09-09T11:43:30+02:00 DEBUG Default config file "file_path=trivy.yaml" not found, using built in values
2025-09-09T11:43:30+02:00 DEBUG Cache dir dir="/Users/thomas/Library/Caches/trivy"
2025-09-09T11:43:30+02:00 DEBUG Cache dir dir="/Users/thomas/Library/Caches/trivy"
2025-09-09T11:43:30+02:00 DEBUG Parsed severities severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-09-09T11:43:30+02:00 DEBUG Ignore statuses statuses=[]
2025-09-09T11:43:30+02:00 INFO [misconfig] Misconfiguration scanning is enabled
2025-09-09T11:43:30+02:00 DEBUG [notification] Running version check
2025-09-09T11:43:30+02:00 DEBUG [misconfig] Checks successfully loaded from disk
2025-09-09T11:43:30+02:00 DEBUG [notification] Version check completed latest_version="0.66.0"
2025-09-09T11:43:30+02:00 DEBUG [rego] Overriding filesystem for checks
2025-09-09T11:43:30+02:00 DEBUG [rego] Embedded libraries are loaded count=17
2025-09-09T11:43:30+02:00 DEBUG [rego] Embedded checks are loaded count=519
2025-09-09T11:43:30+02:00 DEBUG [rego] Checks from disk are loaded count=536
2025-09-09T11:43:30+02:00 DEBUG [rego] Overriding filesystem for data
2025-09-09T11:43:30+02:00 DEBUG Enabling misconfiguration scanners scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-09-09T11:43:30+02:00 DEBUG Initializing scan cache... type="memory"
2025-09-09T11:43:30+02:00 DEBUG [fs] Analyzing... root="kali/Dockerfile"
2025-09-09T11:43:30+02:00 DEBUG [fs] Random cache key will be used err="failed to open git repository: stat /Users/thomas/code/docker-kali/kali/Dockerfile/.git: not a directory"
2025-09-09T11:43:30+02:00 DEBUG Created process-specific temp directory path="/var/folders/ck/2xvbk39d4zn86q23g4p7phd40000gn/T/trivy-99307"
2025-09-09T11:43:30+02:00 DEBUG [misconfig] Scanning files for misconfigurations... scanner="Dockerfile"
2025-09-09T11:43:30+02:00 DEBUG [dockerfile scanner] Scanning files... count=1
2025-09-09T11:43:30+02:00 DEBUG [rego] Scanning inputs count=1
2025-09-09T11:43:30+02:00 DEBUG OS is not detected.
2025-09-09T11:43:30+02:00 INFO Detected config files num=1
2025-09-09T11:43:30+02:00 DEBUG Scanned config file file_path="Dockerfile"
2025-09-09T11:43:30+02:00 DEBUG Specified ignore file does not exist file=".trivyignore"
2025-09-09T11:43:30+02:00 DEBUG [vex] VEX filtering is disabled
Report Summary
┌────────────┬────────────┬───────────────────┐
│ Target │ Type │ Misconfigurations │
├────────────┼────────────┼───────────────────┤
│ Dockerfile │ dockerfile │ 1 │
└────────────┴────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
Dockerfile (dockerfile)
Tests: 26 (SUCCESSES: 25, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
See https://avd.aquasec.com/misconfig/ds002
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
2025-09-09T11:43:30+02:00 DEBUG Cleaning up temp directory path="/var/folders/ck/2xvbk39d4zn86q23g4p7phd40000gn/T/trivy-99307"
$ trivy --version
Version: 0.66.0
Vulnerability DB:
Version: 2
UpdatedAt: 2025-09-09 06:29:47.446032105 +0000 UTC
NextUpdate: 2025-09-10 06:29:47.446031854 +0000 UTC
DownloadedAt: 2025-09-09 09:27:57.633275 +0000 UTC
Check Bundle:
Digest: sha256:a471e90b7c7335e914ec9075b74cf8f65e4c91e6cecfa7e39c587382808d2684
DownloadedAt: 2025-09-09 09:29:21.221658 +0000 UTC
Discussed in #9455
Originally posted by thomasleplus September 9, 2025
Description
Hi,
I use two inline ignores in the following Dockerfile:
When I run trivy 0.66.0 on Mac, I still get a finding for AVD-DS-0002. Note that this does not happen if I put an explicit
USER rootstatement at the end of my Dockerfile and move the# trivy:ignore:AVD-DS-0002comment there but I'd rather not do that workaround.Thanks!
Desired Behavior
Ignore both AVD-DS-0001 and AVD-DS-0002.
Actual Behavior
AVD-DS-0001 is successfully ignored but not AVD-DS-0002.
Reproduction Steps
Operating System
macOS Sequoia 15.6.1
Version
Checklist
trivy clean --all