Will It Vibe logoWill It Vibe?
K8S-009Critical severity-25 points

Container runtime socket mounted

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 25 points from that category, once per scan, no matter how many places it turns up.

What it detects

Mounting docker.sock, containerd.sock, or crio.sock into a container hands it control of the node container runtime, which is a full node takeover.

Why it matters

Mounting the container runtime socket (docker.sock, containerd.sock, or crio.sock) gives the container full control of the runtime on that node. From there an attacker can start a new privileged container, mount the host root filesystem, and take over the node and everything scheduled on it. This is one of the most direct container-to-node escapes.

How to fix it

Remove the runtime socket mount. If the workload needs to build images, use a daemonless builder such as Kaniko or Buildah that does not require the socket. If it needs cluster or node information, use the Kubernetes API with a tightly scoped ServiceAccount instead of the runtime socket. Treat any cluster where this was exposed as needing review.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks