yaml.docker-compose.security.no-new-privileges.no-new-privileges
semgrepAuthor
228
Download Count*
License
Service '$SERVICE' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this.
Run Locally
Run in CI
Defintion
rules:
- id: no-new-privileges
patterns:
- pattern-inside: |
version: ...
...
services:
...
- pattern: |
$SERVICE:
...
image: ...
- pattern-not: |
$SERVICE:
...
image: ...
...
security_opt:
- ...
- no-new-privileges:true
- ...
- focus-metavariable: $SERVICE
message: Service '$SERVICE' allows for privilege escalation via setuid or setgid
binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this.
metadata:
cwe:
- "CWE-732: Incorrect Permission Assignment for Critical Resource"
owasp:
- A05:2021 - Security Misconfiguration
- A06:2017 - Security Misconfiguration
references:
- https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/
- https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt
- https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag
category: security
technology:
- docker-compose
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authorization
languages:
- yaml
severity: WARNING
Examples
no-new-privileges.test.yaml
version: "3.9"
services:
# ruleid: no-new-privileges
web:
image: nginx:alpine
# ruleid: no-new-privileges
worker:
image: my-worker-image:latest
security_opt:
- label:user:testuser
# ok: no-new-privileges
db:
image: mysql
security_opt:
- no-new-privileges:true
- another-opt:true
Short Link: https://sg.run/0n8q