v0.12.1

github-actions released this 25 May 23:47

· 14 commits to main since this release

759a2ae

Changed

CL-0022 is reworked. As shipped in 0.12.0 it flagged tmpfs entries missing
noexec/nosuid/nodev — but Docker mounts every tmpfs with all three by
default (verified across the short, list, and long forms, and with size=
set), so the old rule fired on already-secure configs and missed the real
weakening. It now flags the presence of exec, suid, or dev, which
explicitly remove those defaults, at LOW (was MEDIUM). A plain tmpfs: [/tmp]
is no longer flagged; tmpfs: [/tmp:exec] is. The auto-fix is dropped — the
option is set deliberately, so reverting is left to manual review.
CL-0012's message no longer asserts a container can "create unlimited
processes" and fork-bomb the host. A container's pids.max is bounded by the
cgroup hierarchy (often a high parent cap, occasionally unbounded), so the
finding now says the limit is left to whatever that hierarchy allows. The rule
is unchanged — it still flags an explicit pids_limit of 0 or negative.

Removed

CL-0023 (dangerous network sysctls), shipped in 0.12.0, is removed. Verified
against real Docker, its premise did not hold: net.ipv4.ip_forward and
net.ipv4.conf.all.send_redirects are already 1 by default in every
container (so flagging them flagged the platform default), and Docker rejects
net.* sysctls under host networking — so the rule's "acute under host
networking" case is a configuration Docker refuses to start. Hit rate was 0%
across the corpus. Pre-1.0, the CL-0023 id is freed and may be reassigned to
a future rule. The remaining net.* deviations (accept_source_route,
accept_redirects, IPv6 forwarding) are too niche and weakly grounded to
carry a rule on their own.

Assets 10