Using Host PID Mode

HIGH

Service uses host PID namespace. Container can see and potentially signal host processes.

Rule Information

Language
Docker Compose
Category
Security
Author
Shivasurya
Shivasurya
Last Updated
2026-03-22
Tags
docker-composecomposepidhost-pidsecurityisolationnamespaceprocessinformation-disclosure
CWE References
CWE-250

Interactive Playground

Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.

pathfinder scan --ruleset docker-compose/COMPOSE-SEC-009 --project .
1
2
3
4
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

About This Rule

Understanding the vulnerability and how it is detected

This rule detects services using `pid: host`, which disables PID namespace isolation. This allows the container to see and interact with ALL processes running on the host system, including sending signals to them, viewing their command lines, and potentially injecting code.

Security Implications

Potential attack scenarios if this vulnerability is exploited

1

Signal Sending

```bash kill -9 <pid> # Kill host processes (if permissions allow) killall -9 sshd # DoS attack on SSH ```

2

Information Disclosure

```bash cat /proc/*/cmdline # Read command lines (may contain secrets) cat /proc/*/environ # Read environment variables ```

How to Fix

Recommended remediation steps

  • 1Review your Dockerfile to address the using host pid mode issue
  • 2Follow Docker official best practices for image building
  • 3Use docker build --check to validate Dockerfile syntax and best practices

References

External resources and documentation

CWE-250: Execution with Unnecessary PrivilegesDocker PID Namespace DocumentationCIS Docker Benchmark: Section 5.15

Similar Rules

Explore related security rules for Docker Compose

LOW

Container Filesystem is Writable

Service has writable root filesystem. Consider making it read-only for better security.

MEDIUM

Using Host IPC Mode

Service uses host IPC namespace. Container shares inter-process communication with host.

MEDIUM

Missing no-new-privileges Security Option

Service does not have no-new-privileges security option. Without this, processes inside the container can gain additional privileges via setuid binaries or capability escalation.

Frequently Asked Questions

Common questions about Using Host PID Mode

Service uses host PID namespace. Container can see and potentially signal host processes.
Review the secure code example in the playground above and apply the recommended pattern to your Dockerfile or docker-compose.yml.

New feature

Get these findings posted directly on your GitHub pull requests

The Using Host PID Mode rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.

See how it works
Back to SecurityAll Languages →