Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

Docker static code analysis

Unique rules to find Vulnerabilities, Security Hotspots, and Code Smells in your DOCKER code

Filtered: 19 rules found

cwe

Impact

Clean code attribute

Using host operating system namespaces is security-sensitive

intentionality - complete

security

Security Hotspot

MajorSonarSource default severity
click to learn more

Using host operating system namespaces can lead to compromise of the host system.
Opening network services of the local host system to the container creates a new attack surface for attackers.

Host network sharing could provide a significant performance advantage for workloads that require critical network performance. However, the successful exploitation of this attack vector could have a catastrophic impact on confidentiality within the host.

Ask Yourself Whether

The host exposes sensitive network services.
The container’s services performances do not rely on operating system namespaces.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Do not use host operating system namespaces.

Sensitive Code Example

# syntax=docker/dockerfile:1.3
FROM example
# Sensitive
RUN --network=host wget -O /home/sessions http://127.0.0.1:9000/sessions

Compliant Solution

# syntax=docker/dockerfile:1.3
FROM example
RUN --network=none wget -O /home/sessions http://127.0.0.1:9000/sessions

See

Dockerfile reference - Custom Dockerfile syntax
Dockerfile reference - RUN --network
CWE - CWE-653 - Improper Isolation or Compartmentalization

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

In-IDE

SaaS

Self-Hosted