[HIGH] Docker Bench Container Runs with Elevated Privileges #4
Description
Description
The Docker Bench scanner runs a container with extremely elevated privileges including `--net host`, `--pid host`, `--userns host`, and mounts of sensitive system directories. While necessary for security scanning, this creates a significant attack surface if the container image is compromised.
Location
`internal/integrations/compliance/docker_bench.go` lines 82-97
args := []string{
"run", "--rm",
"--net", "host",
"--pid", "host",
"--userns", "host",
"--cap-add", "audit_control",
"-v", "/etc:/etc:ro",
"-v", "/lib/systemd/system:/lib/systemd/system:ro",
"-v", "/usr/bin/containerd:/usr/bin/containerd:ro",
"-v", "/usr/bin/runc:/usr/bin/runc:ro",
"-v", "/usr/lib/systemd:/usr/lib/systemd:ro",
"-v", "/var/lib:/var/lib:ro",
"-v", "/var/run/docker.sock:/var/run/docker.sock:ro",
"--label", "docker_bench_security",
dockerBenchImage,
}Impact
- If the Docker Bench image is compromised or replaced, attacker gains host-level access
- Image pulls from `docker/docker-bench-security` could be intercepted
- Container has full visibility into host processes, network, and file system
Recommended Fix
- Pin Docker Bench to a specific image digest rather than using `latest`:
const dockerBenchImage = "docker/docker-bench-security@sha256:abc123..."- Verify image digest before running:
// Before running, verify image digest
verifyCmd := exec.CommandContext(ctx, dockerBinary, "inspect", "--format", "{{.Id}}", dockerBenchImage)
output, err := verifyCmd.Output()
if !strings.HasPrefix(string(output), "sha256:expected...") {
return nil, fmt.Errorf("docker bench image verification failed")
}- Consider adding image signature verification using Docker Content Trust
- Document the security implications in deployment documentation
Severity
🟠 HIGH - Host compromise risk
Labels
security, high