Container Security

Detects services that add dangerous Linux capabilities like SYS_ADMIN, SYS_MODULE, or SYS_PTRACE which can be used for container escape or privilege escalation.

Detects services that mount the Docker socket, giving the container full control over the Docker daemon, equivalent to unrestricted root access to the host.

Detects services using host IPC namespace, allowing the container to share shared memory segments, semaphores, and message queues with the host system.

Detects services using host network mode, which disables network isolation and makes the container share the host's network stack, bypassing Docker's network isolation.

Detects services using host PID namespace, allowing the container to see and interact with all processes running on the host system.

Detects services configured with privileged mode, which disables almost all container security features and grants nearly all capabilities of the host machine.

Detects services with seccomp disabled, allowing containers to use all system calls and significantly increasing the attack surface.

Detects services without read-only filesystem, which allows attackers to modify binaries, install malware, or persist backdoors within the container.

Detects services without no-new-privileges security option, which allows processes to gain additional privileges via setuid/setgid binaries.

Detects services that explicitly disable SELinux separation, removing a critical mandatory access control security layer.