Docker Socket Mount Dangerous
Description
Identifies cases where the Docker socket (/var/run/docker.sock) is mounted as a volume in Docker configurations. Mounting the Docker socket gives containers direct access to the Docker daemon, which effectively grants root-level access to the host system and all other containers, creating a serious security risk.
Detection Strategy
• Scans Docker-related configuration files for volume mount definitions
• Looks for lines containing 'VOLUME /var/run/docker.sock' directive
• Reports a vulnerability when the Docker socket is explicitly mounted as a volume
• Checks both Dockerfile VOLUME instructions and docker-compose volume configurations
Vulnerable code example
FROM docker:latest
# Mounting Docker socket gives container full access to host Docker daemon - UNSAFE
VOLUME /var/run/docker.sock:/var/run/docker.sock
# Installing Docker CLI to interact with mounted socket
RUN apk add --no-cache docker-cli
...✅ Secure code example
FROM docker:latest
# Use TLS-secured TCP socket instead of mounting Docker socket
ENV DOCKER_HOST=tcp://docker-proxy:2376
ENV DOCKER_TLS_VERIFY=1
ENV DOCKER_CERT_PATH=/certs
# Copy TLS certificates for secure Docker daemon communication...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.