Home Technical Support Docker User Flags and Environment Variables for Security Tools: When and Why to Use Them

Docker User Flags and Environment Variables for Security Tools: When and Why to Use Them

Last updated on Jan 06, 2026

Docker User Flags and Environment Variables for Security Tools: When and Why to Use Them

In DevSecOps labs you’ll often run security scanners (Retire.js, Safety, Renovate, Semgrep, TruffleHog) inside Docker containers. A common source of confusion is the use of the --user $(id -u):$(id -g) flag and environment‑variable configuration. This article explains when the user flag is required, how to configure Renovate for different platforms, login requirements for Semgrep, and the role of TruffleHog’s --filesystem --directory option. By the end you’ll know how to run each tool securely and without unnecessary permission problems.

1. Understanding the Docker --user Flag

1.1 What does --user $(id -u):$(id -g) do?

  • Sets UID/GID – The container runs with the same user and group IDs as the host user who invoked Docker.
  • Prevents root‑owned files – Files created inside the mounted volume keep the host user’s ownership, avoiding permission headaches later.
  • Implements least‑privilege – The container does not run as root unless the image explicitly requires it.

1.2 When is the flag necessary?

Scenario Reason to use --user
Mounting host source code (e.g., -v $(pwd):/src) The scanner writes temporary files or caches; you want those files owned by your host user.
Running on CI agents with non‑root users Guarantees the container respects the CI runner’s security policy.
Images that default to root but your policy forbids it Override the default to comply with organizational guidelines.

1.3 When can you omit the flag?

  • Tools that only read files and never create output (e.g., Retire.js, Safety) can safely run as the image’s default user, often root.
  • The image already defines a non‑root user that matches your needs.

Key takeaway: Use the flag only when you need to control file ownership or enforce non‑root execution. It is optional for read‑only scans.

2. Configuring Renovate for GitHub vs. GitLab

Renovate automates dependency updates. Its configuration differs between platforms because of how authentication and defaults are handled.

2.1 GitHub – Quick start with an environment variable

  1. Set the token 
    export RENOVATE_TOKEN=ghp_XXXXXXXXXXXXXXXXXXXX
  2. Run Renovate 
    docker run --rm -e RENOVATE_TOKEN hysnsec/renovate renovate USER/REPOSITORY
  • GitHub’s API accepts a personal access token passed via RENOVATE_TOKEN.
  • The CLI automatically infers the host (github.com) and the repository from the argument, so no extra config file is needed.

2.2 GitLab – Need a renovate.json (or config.js) file

  1. Create a config file (e.g., renovate.json) with at least the platform definition: 
    {
  "platform": "gitlab",
  "gitlabEndpoint": "https://gitlab.com/api/v4/",
  "token": "glpat-XXXXXXXXXXXXXXXXXXXX"
}
  2. Mount the file and run Renovate: 
    docker run --rm -v $(pwd)/renovate.json:/usr/src/app/renovate.json \
    -e RENOVATE_CONFIG_FILE=/usr/src/app/renovate.json \
    hysnsec/renovate renovate GROUP/PROJECT
  • GitLab’s API requires the endpoint URL and often additional settings (e.g., self‑hosted instances).
  • Because the CLI cannot infer these details from a simple user/repo argument, a configuration file is mandatory.

Why the difference? GitHub’s public SaaS API follows a predictable pattern, allowing Renovate to operate with minimal setup. GitLab, especially self‑hosted deployments, varies in URL and authentication, so a config file provides the necessary context.

3. Logging into Semgrep – Do Not Use the Root Account

Semgrep’s hosted platform expects each user to authenticate with a personal GitHub or GitLab account that is linked to their Semgrep account.

  • Do not use the generic training credentials (root:pdso-training).
  • Avoid corporate GitHub/GitLab accounts because they may lack the required scopes or could expose internal repositories.

Recommended login flow

  1. Create a personal GitHub/GitLab account (if you don’t already have one).
  2. Sign up for Semgrep Cloud and link the account.
  3. Authenticate via the CLI: 
    semgrep login --token <your-semgrep-token>

4. TruffleHog: Branch Targeting and the --filesystem --directory Flag

TruffleHog can scan either Git histories or local filesystem content.

4.1 Scanning a specific branch (Git mode)

docker run --rm -v $(pwd):/src hysnsec/trufflehog git \
    --repo https://github.com/USER/REPO.git \
    --branch develop
  • The --branch option tells TruffleHog which commit history to analyze.

4.2 Scanning a local directory (Filesystem mode)

docker run --rm -v $(pwd):/src hysnsec/trufflehog filesystem \
    --directory=/src
  • No --branch needed because you are scanning the current files, not Git history.

4.3 Role of the --user flag in the examples

docker run --user $(id -u):$(id -g) -v $(pwd):/src --rm hysnsec/trufflehog filesystem --directory=/src
  • Adding --user simply runs the container under your host UID/GID, preventing root‑owned artifacts in /src.
  • Removing it runs the container as the image’s default user (often root). The scan still works; the only difference is file ownership of any temporary data.

Bottom line: The --user flag is optional for TruffleHog unless you need to preserve file permissions on the host.

5. Common Questions & Tips

Question Answer
Do I always need --user for Docker security tools? No. Use it when the tool writes to a mounted volume or when your policy forbids root.
Can Renovate work with GitLab without a config file? Only if you use the hosted GitLab SaaS with default endpoints; otherwise a config file is required.
What token scopes are needed for Renovate on GitHub? repo (full control of private repos) and read:org if you work with organization resources.
Is it safe to run Semgrep with my corporate GitHub account? Not recommended. Use a personal account that you control and that has only the necessary repository access.
Why does TruffleHog sometimes fail with permission errors? The container may be running as root and creates files owned by root. Adding --user $(id -u):$(id -g) resolves this.

Quick tip: Always test a Docker command without --user first. If you see “permission denied” when the container writes to a host‑mounted directory, re‑run with the flag.

6. Summary

  • The Docker --user $(id -u):$(id -g) flag is optional and only required for write‑access scenarios or strict least‑privilege policies.
  • Renovate’s GitHub integration is streamlined via an environment variable, whereas GitLab needs a configuration file to specify endpoint and token details.
  • Semgrep login must use a personal GitHub/GitLab account; the generic root credentials are not valid.
  • TruffleHog’s --filesystem --directory mode scans local files and does not depend on the --user flag; the flag only influences file ownership on the host.

By understanding these nuances, you can run security tools efficiently, keep your host environment clean, and stay compliant with best‑practice DevSecOps workflows.