Dangerous Capability Added

HIGH

Service adds dangerous capability. These capabilities can be used for container escape or privilege escalation.

Rule Information

Language
Docker Compose
Category
Security
Author
Shivasurya
Shivasurya
Last Updated
2026-03-22
Tags
docker-composecomposecapabilitiescap-addsecurityprivilege-escalationcontainer-escapelinuxkernel
CWE References
CWE-250

Interactive Playground

Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.

pathfinder scan --ruleset docker-compose/COMPOSE-SEC-008 --project .
1
2
3
4
5
6
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

About This Rule

Understanding the vulnerability and how it is detected

This rule detects services that add dangerous Linux capabilities via `cap_add`. Linux capabilities divide root privileges into distinct units. Some capabilities are extremely powerful and can be used for container escape or privilege escalation. This rule flags the most dangerous ones.

How to Fix

Recommended remediation steps

  • 1Review your Dockerfile to address the dangerous capability added issue
  • 2Follow Docker official best practices for image building
  • 3Use docker build --check to validate Dockerfile syntax and best practices

References

External resources and documentation

CWE-250: Execution with Unnecessary PrivilegesLinux Capabilities man pageDocker Security Best Practices

Similar Rules

Explore related security rules for Docker Compose

LOW

Container Filesystem is Writable

Service has writable root filesystem. Consider making it read-only for better security.

MEDIUM

Using Host IPC Mode

Service uses host IPC namespace. Container shares inter-process communication with host.

MEDIUM

Missing no-new-privileges Security Option

Service does not have no-new-privileges security option. Without this, processes inside the container can gain additional privileges via setuid binaries or capability escalation.

Frequently Asked Questions

Common questions about Dangerous Capability Added

Service adds dangerous capability. These capabilities can be used for container escape or privilege escalation.
Review the secure code example in the playground above and apply the recommended pattern to your Dockerfile or docker-compose.yml.

New feature

Get these findings posted directly on your GitHub pull requests

The Dangerous Capability Added rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.

See how it works
Back to SecurityAll Languages →