Name: Security Antipatterns Containers
Author: subhashdasyam

Container Security Anti-Patterns

Overview

Reference guide for container security anti-patterns covering Docker, Podman, Docker Compose, Podman Compose, scratch-based containers, GPU passthrough, and private registries. Includes 2024-2025 CVEs and real-world escape techniques.

Critical Rules (Top 10)

NEVER run containers as root - use USER directive with non-root UID
NEVER use --privileged flag - drops all security boundaries
NEVER mount Docker socket - /var/run/docker.sock = host compromise
NEVER hardcode secrets in Dockerfile - use BuildKit --secret or runtime injection
ALWAYS use minimal base images - scratch/distroless/alpine over full OS
ALWAYS pin base images by digest - not just tag, for reproducibility
ALWAYS drop all capabilities - --cap-drop=ALL, add only what's needed

Container Security Anti-Patterns

Overview

Critical Rules (Top 10)

NEVER run containers as root - use USER directive with non-root UID
NEVER use --privileged flag - drops all security boundaries
NEVER mount Docker socket - /var/run/docker.sock = host compromise
NEVER hardcode secrets in Dockerfile - use BuildKit --secret or runtime injection
ALWAYS use minimal base images - scratch/distroless/alpine over full OS
ALWAYS pin base images by digest - not just tag, for reproducibility
ALWAYS drop all capabilities - --cap-drop=ALL, add only what's needed

Category	Reference File	Key CVEs
Dockerfile builds	references/dockerfile.md	CVE-2024-24557, CVE-2024-23651, CVE-2025-0495
Runtime security	references/runtime-security.md	CVE-2025-31133, CVE-2024-21626, CVE-2021-41091
Compose files	references/compose-security.md	-
Supply chain	references/supply-chain.md	CVE-2024-3094
Podman-specific	references/podman-security.md	-
GPU passthrough	references/gpu-passthrough.md	CVE-2024-0132, CVE-2025-23266, CVE-2025-23359
Registry security	references/registry-security.md	CVE-2024-22278, CVE-2024-22261, CVE-2022-46463
Scanning & SBOM	references/scanning-sbom.md	-

Vector	CVE	Mitigation
runc masked path	CVE-2025-31133	Update runc to 1.2.6+
runc procfs race	CVE-2025-52565	Update runc to 1.2.6+
File descriptor leak	CVE-2024-21626	Update runc to 1.1.12+
NVIDIA TOCTOU	CVE-2024-0132	Update toolkit to 1.16.2+
Docker socket mount	N/A	Never mount /var/run/docker.sock
Privileged mode	N/A	Never use --privileged
cgroups release_agent	N/A	Block CAP_SYS_ADMIN

Security Antipatterns Containers

Container Security Anti-Patterns

Overview

Critical Rules (Top 10)

Security Antipatterns Containers

Container Security Anti-Patterns

Overview

Critical Rules (Top 10)

Quick Reference

When to Use

Module Index

Build-Time Security

Runtime Security

Supply Chain Security

Platform-Specific

Infrastructure Security

Common Escape Vectors

Container to Host Escapes (2024-2025)

Verification Commands

See Also

Helm Chart Scaffolding

Python Observability

K8s Manifest Generator

Istio Traffic Management

Secrets Management

Gitops Workflow