CV-C012: Seccomp profile disabled
Warning Security
Why This Matters
Seccomp (secure computing mode) restricts which system calls a container can make. Docker applies a default seccomp profile that blocks ~44 dangerous syscalls. Disabling it with seccomp:unconfined removes this protection, allowing the container to make any system call, increasing the attack surface for kernel exploits.
How to Fix
Remove seccomp:unconfined or use a custom seccomp profile instead
Before (incorrect)
services:
web:
security_opt:
- seccomp:unconfinedAfter (correct)
services:
web:
security_opt:
- seccomp:./seccomp-profile.jsonRule Details
- Rule Code
- CV-C012
- Severity
- Warning
- Category
- Security