Docker Socket Exposed to Container

CRITICAL

Service mounts Docker socket. The owner of this socket is root. Giving container access to it is equivalent to giving unrestricted root access to host.

Rule Information

Language
Docker Compose
Category
Security
Author
Shivasurya
Shivasurya
Last Updated
2026-03-22
Tags
docker-composecomposedocker-socketvolumesecurityprivilege-escalationcontainer-escapedaemoncriticalhost-access
CWE References
CWE-250

Interactive Playground

Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.

pathfinder scan --ruleset docker-compose/COMPOSE-SEC-002 --project .
1
2
3
4
5
6
7
8
9
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

About This Rule

Understanding the vulnerability and how it is detected

This rule detects docker-compose services that mount the Docker socket (/var/run/docker.sock or /run/docker.sock) as a volume. The Docker socket is owned by root and provides complete control over the Docker daemon. Giving a container access to it is equivalent to giving unrestricted root access to the host system.

This is identical to DOCKER-SEC-006 but for docker-compose configurations.

How to Fix

Recommended remediation steps

  • 1Never mount the Docker socket into application containers
  • 2Use the Docker API over TLS with client certificates if remote access is needed
  • 3Consider rootless Docker or Podman to reduce socket exposure risk

References

External resources and documentation

CWE-250: Execution with Unnecessary PrivilegesDocker Socket Security AdvisoryCIS Docker Benchmark: Section 5.31OWASP Docker Security Cheat SheetTecnativa Docker Socket Proxy documentation

Similar Rules

Explore related security rules for Docker Compose

LOW

Container Filesystem is Writable

Service has writable root filesystem. Consider making it read-only for better security.

MEDIUM

Using Host IPC Mode

Service uses host IPC namespace. Container shares inter-process communication with host.

MEDIUM

Missing no-new-privileges Security Option

Service does not have no-new-privileges security option. Without this, processes inside the container can gain additional privileges via setuid binaries or capability escalation.

Frequently Asked Questions

Common questions about Docker Socket Exposed to Container

The Docker socket gives unrestricted access to the Docker daemon. A container with the socket mounted can create privileged containers, access host filesystems, and effectively gain root on the host.
Use Docker-in-Docker (dind) with TLS enabled, or use Kaniko/Buildah for building images without requiring Docker socket access.

New feature

Get these findings posted directly on your GitHub pull requests

The Docker Socket Exposed to Container rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.

See how it works
Back to SecurityAll Languages →