Docker Container Image Security
Docker containers inherit vulnerabilities from base images, installed packages, and application dependencies. With over 60% of container images containing at least one known high or critical vulnerability, automated scanning of container artifacts is essential.
Why Docker Image Security Matters
Docker images are composed of layers — each layer can introduce vulnerabilities. Base images like Alpine, Debian, and Ubuntu carry OS-level CVEs. Application layers add language-specific dependency risks. Multi-stage builds can inadvertently leak build-time secrets. Precogs AI scans each layer independently to identify the exact source of risk.
Common Vulnerability Patterns
The most frequent issues in Docker images include: outdated base OS packages with known CVEs, hardcoded credentials in ENV directives, overly permissive file permissions, running as root user, exposed debugging ports, and statically-linked binaries with vulnerable dependencies that escape traditional SCA scanners.
How Precogs AI Detects Container Vulnerabilities
Precogs AI performs binary-level analysis of every executable and library within a container image. Unlike registry scanners that only match package versions, Precogs examines the actual compiled code for memory corruption, hardcoded secrets, and cryptographic weaknesses — catching vulnerabilities in vendor-supplied and custom binaries.
Attack Scenario: The Container Breakout (Dirty Pipe / runC)
An attacker exploits an SSRF vulnerability in a web application to execute code within a Docker container.
The container is running as the `root` user (the default for most Docker images).
The attacker exploits a kernel vulnerability (like Dirty Pipe - CVE-2022-0847) or a container runtime flaw (like runC - CVE-2019-5736).
Because the container was run with `--privileged` or without `cap_drop`, the exploit succeeds.
The attacker breaks out of the cgroups isolation and gains a root shell on the underlying EC2 host.
Real-World Code Examples
Privilege Escalation via Docker Socket
The Docker socket (`/var/run/docker.sock`) provides API access to the Docker daemon, which runs as root. Mounting it inside a container allows any process within that container to spawn new privileged containers, resulting in an immediate host takeover (CWE-269).
Detection & Prevention Checklist
- ✓Ensure all Dockerfiles contain a `USER` directive to drop root privileges
- ✓Scan base images for missing OS-level security patches (e.g., glibc, OpenSSL)
- ✓Enforce `readOnlyRootFilesystem: true` to prevent malware from dropping payloads
- ✓Drop all Linux capabilities by default (`cap_drop: [ALL]`) and add back explicitly
- ✓Never mount the Docker socket (`docker.sock`) into a web-facing container
How Precogs AI Protects You
Precogs AI Binary Security scans Docker images layer-by-layer, detecting CVEs in base OS packages, analyzing compiled binaries for memory corruption, extracting hardcoded secrets, and identifying runtime misconfigurations — all without requiring source code.
Start Free ScanHow do you scan Docker images for vulnerabilities?
Precogs AI scans Docker container images at the binary level, analyzing every executable, shared library, and configuration file across all image layers. This detects vulnerabilities in base OS packages, statically-linked dependencies, hardcoded credentials, and runtime misconfigurations — without requiring source code access.
Scan for Docker Container Image Security Issues
Precogs AI automatically detects docker container image security vulnerabilities and generates AutoFix PRs.