Seccomp Confinement Disabled

HIGH

Service disables seccomp profile. Container can use all system calls, increasing attack surface.

Rule Information

Language
Docker Compose
Category
Security
Author
Shivasurya
Shivasurya
Last Updated
2026-03-22
Tags
docker-composecomposeseccompsecuritysyscallkernelconfinementisolationattack-surface
CWE References
CWE-284

Interactive Playground

Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.

pathfinder scan --ruleset docker-compose/COMPOSE-SEC-003 --project .
1
2
3
4
5
6
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

About This Rule

Understanding the vulnerability and how it is detected

This rule detects services with seccomp (secure computing mode) disabled via `security_opt: seccomp:unconfined`. Seccomp is a Linux kernel feature that restricts which system calls a process can make. Disabling it allows containers to use ALL system calls, significantly increasing the attack surface.

How to Fix

Recommended remediation steps

  • 1Review your Dockerfile to address the seccomp confinement disabled issue
  • 2Follow Docker official best practices for image building
  • 3Use docker build --check to validate Dockerfile syntax and best practices

References

External resources and documentation

CWE-284: Improper Access ControlDocker Seccomp Security ProfilesLinux Seccomp BPF Documentation

Similar Rules

Explore related security rules for Docker Compose

LOW

Container Filesystem is Writable

Service has writable root filesystem. Consider making it read-only for better security.

MEDIUM

Using Host IPC Mode

Service uses host IPC namespace. Container shares inter-process communication with host.

MEDIUM

Missing no-new-privileges Security Option

Service does not have no-new-privileges security option. Without this, processes inside the container can gain additional privileges via setuid binaries or capability escalation.

Frequently Asked Questions

Common questions about Seccomp Confinement Disabled

Service disables seccomp profile. Container can use all system calls, increasing attack surface.
Review the secure code example in the playground above and apply the recommended pattern to your Dockerfile or docker-compose.yml.

New feature

Get these findings posted directly on your GitHub pull requests

The Seccomp Confinement Disabled rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.

See how it works
Back to SecurityAll Languages →