Will It Vibe logoWill It Vibe?
COMPOSE-006High severity-15 points

Container adds a host-escape Linux capability

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

cap_add: SYS_ADMIN, ALL, or SYS_MODULE grants capabilities powerful enough to escape the container or compromise the host, comparable to running privileged.

Why it matters

cap_add of SYS_ADMIN, ALL, or SYS_MODULE grants kernel powers strong enough to escape the container or take over the host: SYS_ADMIN alone covers mounts and many admin operations, ALL is every capability, and SYS_MODULE can load kernel modules. Adding these is close to running privileged and defeats most of the container sandbox.

How to fix it

Remove these broad capabilities. Identify the single operation the container actually needs and grant the narrowest capability that covers it, or redesign so the operation happens outside the container. If nothing concrete requires it, delete the cap_add entry entirely and confirm the service still works.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks