Security

Critical security rules for preventing vulnerabilities

4
Security Rules

Run All Security Rules

pathfinder scan --ruleset docker/security --project .

Rules

Sudo Usage in Dockerfile

MEDIUM

Dockerfile uses sudo in RUN instructions. This is unnecessary during build (already root) and increases security risk if sudo remains in the final image. Use USER instruction for privilege changes instead.

dockerdockerfilesudosecurityprivilege-escalationanti-patternbest-practiceuserrootunnecessary
CWE-250
Updated 2026-03-22

Container Running as Root - Missing USER

HIGH

Dockerfile does not specify USER instruction. Container will run as root by default, which increases the attack surface if the container is compromised.

dockerdockerfilecontainersecurityprivilege-escalationrootuserbest-practicehardeningprinciple-of-least-privilege
CWE-250
Updated 2026-03-22

Secret in Build Argument

CRITICAL

Build argument name suggests it contains a secret. ARG values are visible in image history via 'docker history'.

dockerdockerfilesecretscredentialssecurityargbuild-argpasswordtokenapi-keysensitive-datainformation-disclosure
CWE-538
Updated 2026-03-22

Docker Socket Mounted as Volume

CRITICAL

Dockerfile mounts Docker socket. This gives the container full control over the host Docker daemon, equivalent to root access.

dockerdockerfiledocker-socketvolumesecurityprivilege-escalationcontainer-escapedaemonhost-accesscritical
CWE-250
Updated 2026-03-22

Other Docker Categories

Audit

2 rules

Best Practice

28 rules

Correctness

3 rules

Back to Docker CategoriesAll Languages →