Privileged container
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 25 points from that category, once per scan, no matter how many places it turns up.
What it detects
A container runs with securityContext.privileged: true, which grants it nearly all host capabilities and device access.
Why it matters
A privileged container turns off almost every isolation boundary the kernel gives you: it sees all host devices and holds nearly every capability. If the process is compromised, the attacker effectively has root on the node and can reach every other pod scheduled there. Very few workloads genuinely need this.
How to fix it
Remove privileged: true from the container securityContext. Add back only the specific capabilities the workload needs with capabilities.add, and set capabilities.drop: ["ALL"] as the baseline. If the workload truly needs device access, mount just that device rather than going privileged. Enforce the rule cluster-wide with Pod Security Admission (restricted) or a policy engine like Kyverno or OPA Gatekeeper.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo