Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

Docker static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your DOCKER code

Disabling builder sandboxes is security-sensitive

Security Hotspot

CriticalSonarSource default severity
click to learn more

Disabling builder sandboxes can lead to unauthorized access of the host system by malicious programs.

By default, programs that are executed by a RUN instruction are in a sandbox mode that limits the capabilities of the according process. Explicitly disabling the sandbox grants the process additional capabilities that might allow it to escalate privileges and access the host system.

Ask Yourself Whether

The program is controlled by an external entity.
The program is part of a supply chain that could be a victim of a supply chain attack.

There is a risk if you answered yes to the question.

Recommended Secure Coding Practices

Whenever possible, the sandbox should stay enabled to reduce unnecessary risk.
If elevated capabilities are absolutely necessary, make sure to verify the integrity of the program before executing it.

Sensitive Code Example

# syntax=docker/dockerfile:1-labs
FROM ubuntu:22.04
# Sensitive
RUN --security=insecure ./example.sh

Compliant Solution

# syntax=docker/dockerfile:1-labs
FROM ubuntu:22.04
RUN ./example.sh
RUN --security=sandbox ./example.sh

See

MITRE, CWE-250 - Execution with Unnecessary Privileges
MITRE, CWE-284 - Improper Access Control
Dockerfile reference - RUN

Available In:

In-IDE

SaaS

Self-Hosted