Container Security

Critical security rules for Docker containers

4
Security Rules

Run All Container Security Rules

pathfinder scan --ruleset cpf/docker/security

Rules

Docker Socket Mounted as Volume

critical

Detects VOLUME instructions that mount the Docker socket, giving a container full control over the host's Docker daemon, equivalent to unrestricted root access.

dockersecurityprivilege-escalationcontainer-escapecritical
CWE-250
Updated 2024-12-19

Secret in Build Argument

critical

Detects ARG instructions with names suggesting secrets. Build arguments are stored in image history and can be retrieved by anyone with access to the image.

dockersecuritysecretscredentialscriticaldata-exposure
CWE-538
Updated 2024-12-19

Sudo Usage in Dockerfile

medium

Detects usage of sudo in RUN instructions, which is unnecessary during build and increases security risk if sudo remains in the final image.

dockersecuritysudoprivilegeanti-pattern
CWE-250
Updated 2024-12-19

Container Running as Root - Missing USER

high

Detects Dockerfiles without a USER instruction, causing containers to run with root privileges which significantly increases attack surface.

dockersecurityprivilegerootusercritical
CWE-250
Updated 2024-12-19
Back to Docker CategoriesAll Languages →