SiteShadow
Back to vulnerability library
Detected byPro-tier static analysisPro

CONTAINER01 Privileged Container or Root User

What this means

SiteShadow flagged containers that run with elevated privileges (root user, privileged: true, broad capabilities, host mounts like docker.sock).

Why it matters

Privileged containers increase blast radius and can escape isolation in misconfigured hosts.

Safer examples

1) Run as non-root

Set an explicit non-root user in the image and runtime.

2) Drop capabilities and use no-new-privileges

3) Avoid dangerous host mounts

Avoid mounting /var/run/docker.sock and broad host volumes unless strictly required and isolated.

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.