All Linux capabilities added
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
capabilities.add includes ALL, granting the container every Linux capability and defeating the point of dropping capabilities.
Why it matters
capabilities.add with ALL grants the container every Linux capability, which is close to running privileged. It defeats the whole point of the capability model and hands a compromised process the tools to escalate and escape. There is almost never a real need for the full set.
How to fix it
Remove ALL from capabilities.add. Start from capabilities.drop: ["ALL"] and add back only the specific capabilities the workload requires, such as NET_BIND_SERVICE for binding low ports. If you do not know which are needed, start with none and add them one at a time as the workload reports failures.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo