Container adds a host-escape Linux capability
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
cap_add: SYS_ADMIN, ALL, or SYS_MODULE grants capabilities powerful enough to escape the container or compromise the host, comparable to running privileged.
Why it matters
cap_add of SYS_ADMIN, ALL, or SYS_MODULE grants kernel powers strong enough to escape the container or take over the host: SYS_ADMIN alone covers mounts and many admin operations, ALL is every capability, and SYS_MODULE can load kernel modules. Adding these is close to running privileged and defeats most of the container sandbox.
How to fix it
Remove these broad capabilities. Identify the single operation the container actually needs and grant the narrowest capability that covers it, or redesign so the operation happens outside the container. If nothing concrete requires it, delete the cap_add entry entirely and confirm the service still works.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo