Fix Semgrep finding by adding no-new-privileges:true to MongoDB container #3423
Conversation
…-28-w4DGwTfzTo fix: semgrep-no-new-privileges
PR SummaryAddressed a Semgrep medium-severity finding in docker-compose.yml by adding security_opt: no-new-privileges:true to the Changes
autogenerated by presubmit.ai |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
🚨 Pull request needs attention.
Review Summary
Files Processed (1)
- caching/docker-compose.yml (1 hunk)
Actionable Comments (1)
-
caching/docker-compose.yml [37-38]
security: "Incorrect syntax for no-new-privileges in docker-compose"
Skipped Comments (0)
| security_opt: | ||
| - no-new-privileges:true |
There was a problem hiding this comment.
The security_opt value currently uses 'no-new-privileges:true', which is not a valid flag for Docker's security options. The correct syntax is "security_opt: - no-new-privileges" (i.e., a single boolean flag in the list). Without this correction, the no-new-privileges setting may be ignored.
|
1 participant
Hi Maintainers 👋,
I’m submitting this PR to address a Semgrep medium-severity security finding in the project’s docker-compose.yml.
🔍 Issue
Rule ID: no-new-privileges
Semgrep Message: Service mongodb_container allows for privilege escalation via setuid or setgid binaries. Add no-new-privileges:true in security_opt to prevent this.
📍 Location
File: /tools/scanResult/unzipped-3949820752/caching/docker-compose.yml
Line: 28
✅ Fix
Added the following to the mongodb_container service:
security_opt:
🎯 Outcome
This prevents privilege escalation inside the container by ensuring the container cannot gain new privileges (even if setuid/setgid binaries exist).
This remediation was identified and validated using AI-Guardian, an internal security tool developed by my company OpsMx.
Thanks for reviewing the PR 🙏