CONTAINER01 Privileged Container or Root User

What this means

SiteShadow flagged containers that run with elevated privileges (root user, privileged: true, broad capabilities, host mounts like docker.sock).

Why it matters

Privileged containers increase blast radius and can escape isolation in misconfigured hosts.

• Host compromise risk: privileged containers and dangerous mounts can allow escaping the container.
• Lateral movement: once a container is compromised, a privileged runtime makes pivots easier.
• Defense-in-depth loss: container boundaries stop being meaningful.

Safer examples

1) Run as non-root

Set an explicit non-root user in the image and runtime.

2) Drop capabilities and use no-new-privileges

• Drop ALL caps, add back only what's required.
• Use read-only filesystem when possible.

3) Avoid dangerous host mounts

Avoid mounting /var/run/docker.sock and broad host volumes unless strictly required and isolated.

How SiteShadow detects it (high level)

• Scans container configs (Dockerfile/compose/K8s) for privileged flags, root users, dangerous mounts, and broad capabilities.
• Highlights patterns that materially increase the blast radius of a compromise.

References

• OWASP Top 10: https://owasp.org/Top10/

---

← Back to Vulnerability Library