This rule aims to prevent privilege escalation vulnerabilities in Docker Compose configurations by ensuring that the no-new-privileges security option is enabled. Privilege escalation occurs when a container can gain additional rights beyond its intended permissions, potentially compromising the host system or other containers.
Enabling no-new-privileges: true in the security_opt section of a service ensures that processes inside the container cannot gain new privileges via setuid or setgid binaries. This restriction helps maintain a secure environment by limiting the container’s ability to perform unauthorized actions, reducing the attack surface.
To comply with this rule, ensure that your Docker images use the no-new-privileges directive like below.