| name | sc-docker |
| description | Docker-specific security checks — image hardening, secrets in layers, compose security, and runtime configuration |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
SC: Docker Security
Purpose
Performs Docker-specific security analysis covering Dockerfile best practices, secrets exposure in image layers, docker-compose security configuration, runtime security settings, and container image hardening. Extends beyond general IaC scanning with deep Docker expertise.
Activation
Called by sc-orchestrator during Phase 2 when Dockerfile or docker-compose files are detected.
Phase 1: Discovery
File Patterns
**/Dockerfile*, **/docker-compose*, **/.dockerignore,
**/docker/*, **/*.dockerfile
Dockerfile Security Checks
1. Running as Root:
Check for missing USER directive after base image.
2. Secrets in Build:
# VULNERABLE: Secret in ENV or ARG
ENV DATABASE_PASSWORD=mysecret
ARG API_KEY=sk_live_abc123
COPY .env /app/.env
# SAFE: Use build secrets (BuildKit)
RUN --mount=type=secret,id=db_password cat /run/secrets/db_password
3. ADD vs COPY:
# RISKY: ADD can auto-extract and fetch URLs
ADD https://example.com/app.tar.gz /app/
ADD . /app/
# SAFE: COPY is explicit
COPY . /app/
4. Missing .dockerignore:
Without .dockerignore, sensitive files get copied into the image:
.env, .git/, node_modules/, *.pem, *.key
5. Unverified Base Image:
# RISKY: Unverified image
FROM someuser/myimage:latest
# SAFE: Official image with digest
FROM node:18-alpine@sha256:abc123...
Docker Compose Security
services:
app:
privileged: true
network_mode: host
pid: host
volumes:
- /:/host
cap_add:
- ALL
env_file:
- .env
services:
app:
read_only: true
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
cap_add:
- NET_BIND_SERVICE
tmpfs:
- /tmp
Severity Classification
- Critical: Secrets in image layers, privileged mode, host root mount
- High: Running as root, host network/PID, missing .dockerignore with secrets
- Medium: Using latest tag, ADD instead of COPY, missing health check
- Low: Missing resource limits, non-optimal layer ordering
Output Format
Finding: DOCK-{NNN}
- Title: Docker {vulnerability type}
- Severity: Critical | High | Medium | Low
- Confidence: 0-100
- File: file/path:line
- Vulnerability Type: CWE-250 (Excessive Privileges) | CWE-732 (Incorrect Permission)
- Description: {What was found}
- Impact: Container escape, secret exposure, host compromise.
- Remediation: {Specific Dockerfile/compose fix}
- References: https://docs.docker.com/develop/security-best-practices/
Common False Positives
- Build-stage root — multi-stage builds running as root in build stage but non-root in final
- CI/CD containers — build containers with elevated privileges for CI tasks
- Development compose — development overrides with relaxed security