Scan results · 490d33f
PR #693 · shiva/remove-self-scan-workflow → main · 2 critical · 14 high · 59 medium · 82 low
- high Using Host Network Mode sast-engine/docker-compose.yml:7
[Service: web] Service uses host network mode. Container shares host network stack, bypassing network isolation.
- high Using Host PID Mode sast-engine/docker-compose.yml:8
[Service: web] Service uses host PID namespace. Container can see and potentially signal host processes.
- high Dangerous Capability Added sast-engine/docker-compose.yml:11
[Service: web] Service adds dangerous capability. These capabilities can be used for container escape or privilege escalation.
- high Seccomp Confinement Disabled sast-engine/docker-compose.yml:14
[Service: web] Service disables seccomp profile. Container can use all system calls, increasing attack surface.
- high Dangerous subprocess Usage scripts/gen_go_modules.py:104
subprocess call detected. Ensure arguments are not user-controlled.
- high subprocess with shell=True scripts/gen_go_modules.py:104
subprocess called with shell=True. This is vulnerable to shell injection.
- medium Base Image Uses :latest Tag Dockerfile:1
Base image uses ':latest' tag or no tag (defaults to latest). This makes builds non-reproducible.
- medium Sudo Usage in Dockerfile Dockerfile:15
Dockerfile uses 'sudo' in RUN instructions. This is unnecessary during build (already root) and increases security risk if sudo remains in the final image. Use USER instruction for privilege changes instead.
- medium Sudo Usage in Dockerfile Dockerfile:17
Dockerfile uses 'sudo' in RUN instructions. This is unnecessary during build (already root) and increases security risk if sudo remains in the final image. Use USER instruction for privilege changes instead.
- medium Sudo Usage in Dockerfile Dockerfile:19
Dockerfile uses 'sudo' in RUN instructions. This is unnecessary during build (already root) and increases security risk if sudo remains in the final image. Use USER instruction for privilege changes instead.
Get this for your repo.
Pathfinder runs the same scan on your own repos free. Connect via GitHub in 30 seconds.