---
title: "Check Last User"
diataxis: reference
applies_to:
  product: "kyverno"
audience: ["platform-engineer","devsecops"]
last_updated: 2026-03-25
url: https://docs.nirmata.io/docs/policy-sets/dockerfile_best_practices/check-last-user/
---


### Description

The `last USER` instruction in the Dockerfile is what determines the default user for the container when it starts. This policy validates that the `last USER` is not root. Running containers as non-root users significantly limits the potential damage that attackers can inflict if they manage to compromise a container.

### Kyverno policy

Refer to the Nirmata curated policies - [check-last-user](https://github.com/nirmata/kyverno-policies/blob/main/dockerfile-best-practices/check-last-user/check-last-user.yaml).

### Resource example

Below is an example of a Dockerfile enforcing this policy.

```bash
FROM base

USER root
COPY test.sh /test.sh

USER non-root
```text