# COMPOSE-SEC-008: Dangerous Capability Added

> **Severity:** HIGH | **CWE:** CWE-250

- **Language:** Docker Compose
- **Category:** Security
- **URL:** https://codepathfinder.dev/registry/docker-compose/security/COMPOSE-SEC-008
- **Detection:** `pathfinder scan --ruleset docker-compose/COMPOSE-SEC-008 --project .`

## Description

This rule detects services that add dangerous Linux capabilities via `cap_add`.
Linux capabilities divide root privileges into distinct units. Some capabilities
are extremely powerful and can be used for container escape or privilege escalation.
This rule flags the most dangerous ones.

## Vulnerable Code

```python
services:
  app:
    image: myapp
    cap_add:
      - SYS_ADMIN  # DANGEROUS - Can escape container
      - NET_ADMIN   # RISKY - Full network control
```

## Detection Rule (Python SDK)

```python
from rules.container_decorators import compose_rule
from rules.container_matchers import service_has


@compose_rule(
    id="COMPOSE-SEC-008",
    name="Dangerous Capability Added",
    severity="HIGH",
    cwe="CWE-250",
    category="security",
    tags="docker-compose,compose,capabilities,cap-add,security,privilege-escalation,container-escape,linux,kernel",
    message="Service adds dangerous capability. These capabilities can be used for container escape or privilege escalation."
)
def dangerous_capabilities():
    """
    Detects services with dangerous capabilities.

    Capabilities like SYS_ADMIN, SYS_MODULE, and SYS_PTRACE provide
    near-root powers and can be exploited for container escape.
    """
    return service_has(
        key="cap_add",
        contains_any=[
            "SYS_ADMIN",
            "NET_ADMIN",
            "SYS_PTRACE",
            "SYS_MODULE",
            "DAC_READ_SEARCH",
            "ALL"
        ]
    )
```

## How to Fix

- Review your Dockerfile to address the dangerous capability added issue
- Follow Docker official best practices for image building
- Use docker build --check to validate Dockerfile syntax and best practices

## FAQ

**Q: Why does this rule flag dangerous capability added?**

Service adds dangerous capability. These capabilities can be used for container escape or privilege escalation.

**Q: How do I fix this?**

Review the secure code example in the playground above and apply the recommended pattern to your Dockerfile or docker-compose.yml.

## References

- [CWE-250: Execution with Unnecessary Privileges](https://cwe.mitre.org/data/definitions/250.html)
- [Linux Capabilities man page](https://man7.org/linux/man-pages/man7/capabilities.7.html)
- [Docker Security Best Practices](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html)

---

Source: https://codepathfinder.dev/registry/docker-compose/security/COMPOSE-SEC-008
Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis