Security
Critical security rules for preventing vulnerabilities
4
Security Rules
Run All Security Rules
pathfinder scan --ruleset cpf/docker/securityRules
Sudo Usage in Dockerfile
MEDIUMDockerfile uses 'sudo' in RUN instructions. This is unnecessary during
dockerdockerfilesudosecurityprivilege-escalationanti-patternbest-practiceuserrootunnecessary
CWE-250
Updated 2026-01-17
Docker Socket Mounted as Volume
CRITICALDockerfile mounts Docker socket. This gives the container full control over the host Docker daemon, equivalent to root access.
dockerdockerfiledocker-socketvolumesecurityprivilege-escalationcontainer-escapedaemonhost-accesscritical
CWE-250
Updated 2026-01-17
Container Running as Root - Missing USER
HIGHDockerfile does not specify USER instruction. Container will run as root by default, which increases the attack surface if the container is compromised.
dockerdockerfilecontainersecurityprivilege-escalationrootuserbest-practicehardeningprinciple-of-least-privilege
CWE-250
Updated 2026-01-17
Secret in Build Argument
CRITICALBuild argument name suggests it contains a secret. ARG values are visible in image history via 'docker history'.
dockerdockerfilesecretscredentialssecurityargbuild-argpasswordtokenapi-keysensitive-datainformation-disclosure
CWE-538
Updated 2026-01-17