Back to vulnerability library

DOCKER01/02 Dockerfile and Compose Risky Patterns

This page covers:

DOCKER01: Risky Dockerfile patterns (root user, :latest, curl | bash, secrets in ENV)
DOCKER02: Risky docker-compose patterns (privileged mode, mounting docker.sock, overly broad capabilities)

What this means

SiteShadow flagged container build/runtime configuration that increases blast radius or makes secrets easier

to leak.

Why it matters

Container misconfiguration can turn a small bug into host compromise, lateral movement, or broad data

exposure.

Safer examples

1) Run as non-root and pin base images (Dockerfile)

FROM node:20.11.1-alpine

RUN addgroup -S app && adduser -S app -G app
USER app
WORKDIR /app
COPY --chown=app:app . .
CMD ["node", "server.js"]

2) Avoid `curl | bash` and verify downloads

Prefer package managers and signed artifacts. If you must download, verify checksums/signatures.

3) Harden compose runtime settings (docker-compose.yml)

services:
  web:
    image: myapp:1.2.3
    read_only: true
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    ports:
      - "8080:8080"

How SiteShadow detects it (high level)

Scans Dockerfiles and compose files for high-risk knobs (root/privileged, docker.sock, broad caps, :latest, secrets in ENV).
Flags configurations that materially increase blast radius, even if the app code is otherwise "secure."

References

OWASP Docker Security Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html

---

← Back to Vulnerability Library