The docker SDK. DockerClient.containers.run with privileged=True is a container-escape finding. volumes mounting /var/run/docker.sock into the container grants full Docker daemon access.
.containers.run().containers.run()SinkContainer.run(image, command=None, *, privileged=False, volumes=None, ...) -> Container
Runs a container. Finding when privileged=True or docker.sock is mounted.
0, 1.from_env()Neutraldocker.from_env(version=None, timeout=60, ...) -> DockerClient
Creates a client from DOCKER_HOST env vars.
| FQN | Field | |
|---|---|---|
| docker | fqns[0] | |
| docker.DockerClient | fqns[1] |
Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.
from codepathfinder.go_rule import PyDocker