Service runs in privileged mode
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
privileged: true gives the container almost all host capabilities and device access, so a compromise of the process is effectively a compromise of the host.
Why it matters
A privileged container runs with almost every Linux capability, all host devices, and relaxed kernel restrictions, so a single application bug becomes a route to the host. Compose files with privileged: true are frequently copied from tutorials into production unchanged. The setting is rarely needed and is a top target for container escape.
How to fix it
Remove privileged: true and grant only what the workload actually needs. If it needs specific kernel powers, add just those with cap_add (for example NET_ADMIN); if it needs a device, list it under devices. Test the container starts and works without privileged before shipping.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo