lintai docs

Appearance

Rule Reference

SEC339lintai-ai-securitystablejsonwarn

MCP config: privileged Docker flags

MCP configuration launches Docker with a host-escape or privileged runtime flag

Provider
lintai-ai-security
Surface
json
Scope
per_file
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

basemembership
mcpmembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks committed MCP config Docker launch paths for privileged or host-escape runtime flags such as --privileged, --network host, --pid host, and --ipc host.

Deterministic signal basis

JsonSignals docker run argument analysis over ArtifactKind::McpConfig objects, limited to explicit privileged and host namespace flags.

Malicious corpus
mcp-docker-host-escape
Benign corpus
mcp-docker-safe-run
structured evidence required remediation reviewed
Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC301MCP config: shell trampolineMCP configuration shells out through sh -c or bash -cjsonstable
SEC302Config: insecure HTTP endpointConfiguration contains an insecure http:// endpointjsonstable
SEC303MCP config: credential env passthroughMCP configuration passes through credential environment variablesjsonstable
SEC304Config: TLS verification disabledConfiguration disables TLS or certificate verificationjsonstable
SEC305Config: hardcoded auth materialConfiguration embeds static authentication material in a connection or auth valuejsonstable
SEC309Config: literal secrets in configConfiguration commits literal secret material in env, auth, or header valuesjsonstable

Why It Matters

SEC339 flags MCP configuration that launches Docker with a host-escape or privileged runtime flag.

Because this rule runs on committed executable config, it is a strong operational signal: the MCP server launch path itself requests host-level access patterns such as host networking or other privileged runtime behavior.

What Triggers

SEC339 applies to MCP JSON config and triggers when a Docker-backed launch path includes host-escape or privileged runtime flags such as:

  • --network host
  • other host namespace flags
  • privileged runtime forms that widen container-to-host control

Example that triggers:

json
{"command":"docker","args":["run","--network","host","ghcr.io/acme/mcp-server"]}

Example that stays clean:

json
{"command":"docker","args":["run","--rm","ghcr.io/acme/mcp-server@sha256:0123..."]}

False Positives

This is a strong structural config signal. The main boundary is that it only targets explicit host-escape or privileged runtime patterns in Docker-backed MCP launch paths.

Remediation

Remove the privileged or host-escape flag, or replace the launch path with a container runtime configuration that keeps the MCP server inside normal container isolation boundaries.