lintai docs

Appearance

Rule Reference

SEC339lintai-ai-securitythreat-reviewsecuritystablejsonwarn

MCP config: privileged Docker flags

MCP configuration launches Docker with a host-escape or privileged runtime flag

Public lane
threat-review
Category
security
Provider
lintai-ai-security
Scope
per-file
Surface
json
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Explicit malicious, secret-bearing, or spyware-like review.

How to read this category

Strong exploit, secret, or unsafe-execution signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

threat-reviewsidecar lane
mcpsurface preset

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Checks committed MCP config Docker launch paths for privileged or host-escape runtime flags such as --privileged, --network host, --pid host, and --ipc host.

Deterministic signal basis

JsonSignals docker run argument analysis over ArtifactKind::McpConfig objects, limited to explicit privileged and host namespace flags.

Malicious corpus
mcp-docker-host-escape
Benign corpus
mcp-docker-safe-run
structured evidence required remediation reviewed
Canonical note

Structural stable rule positioned as an explicit threat-review control: high-signal malicious, credential-bearing, or spyware-like behavior that stays opt-in rather than shaping the quiet default.

Nearby Signals

Related Rules

SEC301MCP config: shell trampolineMCP configuration shells out through sh -c or bash -cthreat-reviewsecurityjson
SEC305Config: hardcoded auth materialConfiguration embeds static authentication material in a connection or auth valuethreat-reviewsecurityjson
SEC309Config: literal secrets in configConfiguration commits literal secret material in env, auth, or header valuesthreat-reviewsecurityjson
SEC310Config: metadata or private-network hostConfiguration endpoint targets a metadata or private-network host literalthreat-reviewsecurityjson
SEC338MCP config: sensitive host bind mountMCP configuration launches Docker with a bind mount of sensitive host materialthreat-reviewsecurityjson
SEC422MCP config: sudo commandMCP configuration launches the server through `sudo`threat-reviewsecurityjson

Why It Matters

SEC339 flags MCP configuration that launches Docker with a host-escape or privileged runtime flag.

Because this rule runs on committed executable config, it is a strong operational signal: the MCP server launch path itself requests host-level access patterns such as host networking or other privileged runtime behavior.

What Triggers

SEC339 applies to MCP JSON config and triggers when a Docker-backed launch path includes host-escape or privileged runtime flags such as:

  • --network host
  • other host namespace flags
  • privileged runtime forms that widen container-to-host control

Example that triggers:

json
{"command":"docker","args":["run","--network","host","ghcr.io/acme/mcp-server"]}

Example that stays clean:

json
{"command":"docker","args":["run","--rm","ghcr.io/acme/mcp-server@sha256:0123..."]}

False Positives

This is a strong structural config signal. The main boundary is that it only targets explicit host-escape or privileged runtime patterns in Docker-backed MCP launch paths.

Remediation

Remove the privileged or host-escape flag, or replace the launch path with a container runtime configuration that keeps the MCP server inside normal container isolation boundaries.