Skip to main content

CV-C002: Docker socket mounted

Error Security

Why This Matters

Mounting the Docker socket (/var/run/docker.sock) inside a container grants it root-level control over the host Docker daemon. Any process in the container can create, start, stop, or remove containers, pull images, and effectively gain full host root access. CWE-250: Execution with Unnecessary Privileges.

How to Fix

Use a Docker API proxy with limited permissions, or avoid socket mounting entirely

Before (incorrect)

services:
  web:
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

After (correct)

services:
  web:
    volumes:
      - ./app-data:/data

Rule Details

Rule Code
CV-C002
Severity
Error
Category
Security

Related Rules

CV-C001 Error

Privileged mode enabled
CV-C003 Error

Host network mode
CV-C004 Error

Host PID mode
CV-C005 Error

Host IPC mode
CV-C006 Error

Dangerous capabilities added