Rule Information
Tags
dockerdockerfilesudosecurityprivilege-escalationanti-patternbest-practiceuserrootunnecessary
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset docker/DOCKER-SEC-007 --project .1
2
3
4
5
6
7
8
9
10
11
12
13
14
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
About This Rule
Understanding the vulnerability and how it is detected
This rule detects the use of 'sudo' in RUN instructions within a Dockerfile. Using sudo in Docker containers is an anti-pattern that indicates confusion about Docker's privilege model and can introduce security vulnerabilities.
Security Implications
Potential attack scenarios if this vulnerability is exploited
1
Unnecessary Complexity
Docker containers already run commands as root by default during build time, making sudo redundant and confusing.
2
False Sense of Security
Developers may assume sudo provides security isolation, when in reality it adds no protection in a container context.
3
Privilege Escalation Path
If sudo is installed and configured in the final image, it provides an easy privilege escalation mechanism if an attacker gains access.
4
Attack Surface
sudo binary itself has had security vulnerabilities (CVE-2021-3156 "Baron Samedit") that can be exploited if present in the container. WHY SUDO DOESN'T MAKE SENSE IN DOCKER: ```dockerfile # WRONG: Redundant sudo during build (already root) RUN sudo apt-get update # CORRECT: Just run the command (build runs as root) RUN apt-get update # WRONG: Using sudo to run as different user RUN sudo -u appuser /app/script.sh # CORRECT: Use USER instruction instead USER appuser RUN /app/script.sh ```
How to Fix
Recommended remediation steps
- 1Remove sudo from RUN instructions since Docker build runs as root by default
- 2Use the USER instruction to switch to non-root for the final image
- 3Do not install sudo in the final image to eliminate privilege escalation paths
References
External resources and documentation
Similar Rules
Explore related security rules for Docker
HIGH
Container Running as Root - Missing USER
Dockerfile does not specify USER instruction. Container will run as root by default, which increases the attack surface if the container is compromised.
CRITICAL
Secret in Build Argument
Build argument name suggests it contains a secret. ARG values are visible in image history via 'docker history'.
CRITICAL
Docker Socket Mounted as Volume
Dockerfile mounts Docker socket. This gives the container full control over the host Docker daemon, equivalent to root access.
Frequently Asked Questions
Common questions about Sudo Usage in Dockerfile
Docker executes RUN instructions as root during build. Using sudo is redundant and indicates confusion about the Docker privilege model.
Use the USER instruction to switch users, then subsequent RUN commands execute as that user. Switch back to root if needed for package installation.
New feature
Get these findings posted directly on your GitHub pull requests
The Sudo Usage in Dockerfile rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.