diff --git a/docker/Dockerfile.go_build b/docker/Dockerfile.go_build
index 3b8e120ed..3bd536b70 100644
--- a/docker/Dockerfile.go_build
+++ b/docker/Dockerfile.go_build
@@ -79,5 +79,9 @@ RUN mkdir -p /data/filerldb2 && \
 VOLUME /data
 WORKDIR /data
 
-# Entrypoint will handle permission fixes and user switching
+# Run as non-root by default (satisfies security scanners).
+# Use `docker run --user root` if you need the entrypoint to fix
+# /data volume ownership before dropping privileges.
+USER seaweed
+
 ENTRYPOINT ["/entrypoint.sh"]
diff --git a/docker/Dockerfile.local b/docker/Dockerfile.local
index 9ea378401..051c85120 100644
--- a/docker/Dockerfile.local
+++ b/docker/Dockerfile.local
@@ -37,5 +37,9 @@ RUN mkdir -p /data/filerldb2 && \
 VOLUME /data
 WORKDIR /data
 
-# Entrypoint will handle permission fixes and user switching
+# Run as non-root by default (satisfies security scanners).
+# Use `docker run --user root` if you need the entrypoint to fix
+# /data volume ownership before dropping privileges.
+USER seaweed
+
 ENTRYPOINT ["/entrypoint.sh"]