Container Capabilities Unrestricted
- Query id: ce76b7d0-9e77-464d-b86f-c5c48e03e22d
- Query name: Container Capabilities Unrestricted
- Platform: DockerCompose
- Severity: Low
- Category: Resource Management
- URL: Github
Description¶
Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
version: "3.9"
services:
webapp:
build:
context: ./dir
dockerfile: Dockerfile-alternate
args:
buildno: 1
ports:
- "8080:8080"
- "3000:3000"
cap_add:
- all
Positive test num. 2 - yaml file
version: "3.9"
services:
webapp:
build:
context: ./dir
dockerfile: Dockerfile-alternate
args:
buildno: 1
ports:
- "8080:8080"
- "3000:3000"
cap_add:
- all
cap_drop:
- SYS_CHROOT
Positive test num. 3 - yaml file
version: "3.9"
services:
webapp:
build:
context: ./dir
dockerfile: Dockerfile-alternate
args:
buildno: 1
ports:
- "8080:8080"
- "3000:3000"
cap_add:
- all
cap_drop:
- all