Container shares the host PID or IPC namespace
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
pid: host or ipc: host lets the container see and signal host processes or read host shared memory, which breaks process isolation between the container and the host.
Why it matters
pid: host lets the container see and send signals to every process on the host, and ipc: host shares host shared memory. Both break the isolation that keeps a container from observing or disrupting the host and its other workloads. A compromised container with host PID access can read process arguments and environment, which often contain secrets.
How to fix it
Remove pid: host and ipc: host unless a specific tool requires them. If a service needs to share a namespace with one other container (for a sidecar pattern), scope it to that container with pid: "container:<name>" instead of the whole host. Confirm the service still functions with the host namespace removed.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo