diff --git a/docker/Dockerfile b/docker/Dockerfile
index b429c8d3..9d32ca11 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -149,6 +149,10 @@ ARG GITREF=unknown
 LABEL org.opencontainers.image.revision=$GITREF
 
 
+ARG USERID=10001
+ARG GROUPID=10001
+USER ${USERID}:${GROUPID}
+
 ##################################################
 #
 # Dev image
@@ -167,3 +171,8 @@ RUN --mount=type=cache,target=/root/.cache \
 
 # Override ENTRYPOINT rather than CMD so we can pass arbitrary commands to the entrypoint script
 ENTRYPOINT ["/app/docker/entrypoints/dev.sh"]
+
+# Run as non root user. Required when building image.
+ARG USERID
+ARG GROUPID
+USER ${USERID}:${GROUPID}
diff --git a/docker/docker-compose.yaml b/docker/docker-compose.yaml
index e352358d..35b5cbcd 100644
--- a/docker/docker-compose.yaml
+++ b/docker/docker-compose.yaml
@@ -44,6 +44,10 @@ services:
     build:
       # the dev stage in the Dockerfile
       target: opencodelists-dev
+      args:
+        # user developer uid:gid in dev
+        - USERID=${DEV_USERID:-1000}
+        - GROUPID=${DEV_GROUPID:-1000}
     # paths relative to docker-compose.yaml file
     volumes:
       - ..:/app
diff --git a/docker/justfile b/docker/justfile
index 653a6cf3..f24f0613 100644
--- a/docker/justfile
+++ b/docker/justfile
@@ -10,6 +10,10 @@ export COMPOSE_DOCKER_CLI_BUILD := "1"
 
 export BIN := "/opt/venv/bin"
 
+export DEV_USERID := `id -u`
+export DEV_GROUPID := `id -g`
+
+
 build env="dev":
     #!/usr/bin/env bash