Scan results · 91c7b3d

RUN instruction uses pipes without 'set -o pipefail'. This masks failures in piped commands.

Dockerfile uses 'sudo' in RUN instructions. This is unnecessary during build (already root) and increases security risk if sudo remains in the final image. Use USER instruction for privilege changes instead.

Exposing port below 1024 typically requires root privileges to bind. Consider using non-privileged ports (>1024) with port mapping or granting CAP_NET_BIND_SERVICE capability.

Multiple CMD instructions detected. Only the last one takes effect.

[Service: web] Service uses host IPC namespace. Container shares inter-process communication with host.

[Service: web] Service has 'label:disable' in security_opt, which disables SELinux mandatory access control. This removes a critical security layer and increases the impact of container compromises. Remove label:disable or use custom SELinux labels instead.

[Service: app] Service does not have 'no-new-privileges:true' in security_opt. This allows processes to gain additional privileges via setuid/setgid binaries, which can be exploited for privilege escalation attacks.

__import__() or importlib.import_module() with non-literal argument detected.

Logging call detected. Audit log statements for credential/secret leakage.

Logging call detected. Audit log statements for credential/secret leakage.