Docker Socket Mounted In Container

• Query id: d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b
• Query name: Docker Socket Mounted In Container
• Platform: DockerCompose
• Severity: High
• Category: Build Process
• URL: Github

Description

Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands.
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file

version: "3.1"

services:
  service1:
    container_name: service
    image: notareal/image:latest
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    ports:
      - 8080:8080

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

version: "3.1"

services:
  service1:
    container_name: service
    image: notareal/image:latest
    restart: always
    ports:
      - 8080:8080