Container Security Anti-Patterns
Overview
Reference guide for container security anti-patterns covering Docker, Podman, Docker Compose, Podman Compose, scratch-based containers, GPU passthrough, and private registries. Includes 2024-2025 CVEs and real-world escape techniques.
Critical Rules (Top 10)
- •NEVER run containers as root - use USER directive with non-root UID
- •NEVER use --privileged flag - drops all security boundaries
- •NEVER mount Docker socket - /var/run/docker.sock = host compromise
- •NEVER hardcode secrets in Dockerfile - use BuildKit --secret or runtime injection
- •ALWAYS use minimal base images - scratch/distroless/alpine over full OS
- •ALWAYS pin base images by digest - not just tag, for reproducibility
- •ALWAYS drop all capabilities - --cap-drop=ALL, add only what's needed
- •ALWAYS scan images for vulnerabilities - Trivy/Grype in CI/CD
- •NEVER disable seccomp/AppArmor - keep default security profiles
- •ALWAYS use multi-stage builds - separate build deps from runtime
Quick Reference
| Category | Reference File | Key CVEs |
|---|---|---|
| Dockerfile builds | references/dockerfile.md | CVE-2024-24557, CVE-2024-23651, CVE-2025-0495 |
| Runtime security | references/runtime-security.md | CVE-2025-31133, CVE-2024-21626, CVE-2021-41091 |
| Compose files | references/compose-security.md | - |
| Supply chain | references/supply-chain.md | CVE-2024-3094 |
| Podman-specific | references/podman-security.md | - |
| GPU passthrough | references/gpu-passthrough.md | CVE-2024-0132, CVE-2025-23266, CVE-2025-23359 |
| Registry security | references/registry-security.md | CVE-2024-22278, CVE-2024-22261, CVE-2022-46463 |
| Scanning & SBOM | references/scanning-sbom.md | - |
When to Use
- •Writing or reviewing Dockerfiles
- •Configuring docker-compose.yml or podman-compose.yml
- •Setting up container runtime flags
- •Implementing CI/CD image pipelines
- •Hardening private registries (Harbor, etc.)
- •Configuring GPU passthrough for ML workloads
- •Auditing container security posture
Module Index
Build-Time Security
- •references/dockerfile.md - Dockerfile anti-patterns, multi-stage builds, secrets handling, BuildKit cache poisoning
Runtime Security
- •references/runtime-security.md - Privileged mode, capability management, namespace isolation, container escapes
- •references/compose-security.md - Docker/Podman Compose patterns, secrets management, network isolation
Supply Chain Security
- •references/supply-chain.md - Base image selection, typosquatting, slopsquatting, SBOM, provenance attestation
Platform-Specific
- •references/podman-security.md - Rootless containers, user namespaces, Quadlet, systemd integration
- •references/gpu-passthrough.md - NVIDIA Container Toolkit CVEs, CDI security, GPU memory isolation
Infrastructure Security
- •references/registry-security.md - Harbor vulnerabilities, content trust, anonymous access, webhook security
- •references/scanning-sbom.md - Trivy, Grype, Docker Scout, SBOM generation, VEX documents
Common Escape Vectors
Container to Host Escapes (2024-2025)
| Vector | CVE | Mitigation |
|---|---|---|
| runc masked path | CVE-2025-31133 | Update runc to 1.2.6+ |
| runc procfs race | CVE-2025-52565 | Update runc to 1.2.6+ |
| File descriptor leak | CVE-2024-21626 | Update runc to 1.1.12+ |
| NVIDIA TOCTOU | CVE-2024-0132 | Update toolkit to 1.16.2+ |
| Docker socket mount | N/A | Never mount /var/run/docker.sock |
| Privileged mode | N/A | Never use --privileged |
| cgroups release_agent | N/A | Block CAP_SYS_ADMIN |
Verification Commands
bash
# Check container is not running as root
docker exec CONTAINER id
# Check capabilities
docker exec CONTAINER capsh --print
# Check seccomp profile
docker inspect --format='{{.HostConfig.SecurityOpt}}' CONTAINER
# Check for socket mounts
docker inspect --format='{{.Mounts}}' CONTAINER | grep docker.sock
# Scan image for vulnerabilities
trivy image IMAGE:TAG
# Generate SBOM
trivy image --format cyclonedx IMAGE:TAG
See Also
- •HackTricks Container Security: https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/index.html
- •Docker Security Best Practices: https://docs.docker.com/engine/security/
- •CIS Docker Benchmark: https://www.cisecurity.org/benchmark/docker