diff --git a/doc/development/integrations/secure.md b/doc/development/integrations/secure.md
index 5ebe321fd07abb4976cdbcb6af8a604a0c4767a0..f8baa669b1c7da6ac00e5d1d3c437450ce8b2448 100644
--- a/doc/development/integrations/secure.md
+++ b/doc/development/integrations/secure.md
@@ -178,6 +178,13 @@ As documented in the [Docker Official Images](https://github.com/docker-library/
 it is strongly encouraged that version number tags be given aliases which allows the user to easily refer to the "most recent" release of a particular series.
 See also [Docker Tagging: Best practices for tagging and versioning Docker images](https://learn.microsoft.com/en-us/archive/blogs/stevelasker/docker-tagging-best-practices-for-tagging-and-versioning-docker-images).
 
+### Permissions
+
+To run a Docker container with non-root privileges the following user and group must be present in the container:
+
+- User `gitlab` with user ID `1000`
+- Group `gitlab` with group ID `1000`
+
 ## Command line
 
 A scanner is a command-line tool that takes environment variables as inputs,
diff --git a/doc/user/application_security/sast/customize_rulesets.md b/doc/user/application_security/sast/customize_rulesets.md
index f5e83464a4f0b0074724299d6c9599265aef435a..03df1166be435082909bbdfb90d293ff08d3c440 100644
--- a/doc/user/application_security/sast/customize_rulesets.md
+++ b/doc/user/application_security/sast/customize_rulesets.md
@@ -145,7 +145,7 @@ differ based on the kind of configuration you're making.
 | `[[$analyzer.ruleset]]` | Predefined rules | Defines modifications to an existing rule. |
 | `interpolate` | All | If set to `true`, you can use `$VAR` in the configuration to evaluate environment variables. Use this feature with caution, so you don't leak secrets or tokens. (Default: `false`) |
 | `description` | Passthroughs | Description of the custom ruleset. |
-| `targetdir`   | Passthroughs | The directory where the final configuration should be persisted. If empty, a directory with a random name is created. The directory can contain up to 100 MB of files. |
+| `targetdir`   | Passthroughs | The directory where the final configuration should be persisted. If empty, a directory with a random name is created. The directory can contain up to 100 MB of files. In case the SAST job is running with non-root user privileges, ensure that the [active user](../../../development/integrations/secure.md#permissions) has read and write permissions for this directory. |
 | `validate`    | Passthroughs | If set to `true`, the content of each passthrough is validated. The validation works for `yaml`, `xml`, `json` and `toml` content. The proper validator is identified based on the extension used in the `target` parameter of the `[[$analyzer.passthrough]]` section. (Default: `false`) |
 | `timeout`     | Passthroughs | The maximum time to spend to evaluate the passthrough chain, before timing out. The timeout cannot exceed 300 seconds. (Default: 60) |