Rule Information
Tags
dockerdockerfileportexposeprivilegedrootsecurityunixnetworkingcapabilitiesbest-practice
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset docker/DOCKER-AUD-003 --project .1
2
3
4
5
6
7
8
9
10
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
About This Rule
Understanding the vulnerability and how it is detected
This rule detects EXPOSE instructions for ports below 1024 (privileged ports). On Unix-like systems, binding to ports 1-1023 traditionally requires root privileges, which conflicts with the security best practice of running containers as non-root users. While this rule is informational (sometimes privileged ports are intentional), it highlights a potential privilege escalation requirement.
How to Fix
Recommended remediation steps
- 1Never run containers in privileged mode in production
- 2Use specific Linux capabilities (cap_add) instead of full privileges
- 3Use seccomp profiles to restrict system calls
References
External resources and documentation
Similar Rules
Explore related security rules for Docker
Frequently Asked Questions
Common questions about Privileged Port Exposed
Privileged mode gives the container almost all capabilities of the host, including access to all devices. It effectively removes all container isolation.
Identify the specific capability needed (e.g., SYS_PTRACE for debugging) and add only that with cap_add. This follows the principle of least privilege.
New feature
Get these findings posted directly on your GitHub pull requests
The Privileged Port Exposed rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.