Skip to content

fix: no-new-privileges-28 – prevent privilege escalation in mongodb_container#3424

Open
girichinna27 wants to merge 2 commits intoiluwatar:masterfrom
girichinna27:scanning-2
Open

fix: no-new-privileges-28 – prevent privilege escalation in mongodb_container#3424
girichinna27 wants to merge 2 commits intoiluwatar:masterfrom
girichinna27:scanning-2

Conversation

@girichinna27
Copy link

@girichinna27 girichinna27 commented Jan 22, 2026

Hi Maintainers 👋,

This Pull Request addresses a Semgrep security finding related to potential privilege escalation in the Docker configuration.

🔍 Issue Details

Rule ID: no-new-privileges

Severity: Medium

Rule Message:
Service mongodb_container allows for privilege escalation via setuid or setgid binaries. Add no-new-privileges:true in security_opt to prevent this.

📍 Affected Location

File Path: /tools/scanResult/unzipped-3949820752/caching/docker-compose.yml
Line: 28

✅ Fix Applied

Added the following security hardening option to the mongodb_container service:

security_opt:
  - no-new-privileges:true

🎯 Impact

This change ensures that the container cannot gain additional privileges at runtime, effectively mitigating the risk of privilege escalation.

The issue was identified and remediated using AI-Guardian, a security analysis tool developed by my company OpsMx.

Thanks for your time and review 🙏

root and others added 2 commits January 22, 2026 17:17
@github-actions
Copy link

github-actions bot commented Jan 22, 2026
edited
Loading

PR Summary

Addresses a Semgrep security finding by hardening the Docker configuration to prevent privilege escalation. Adds runtime security option no-new-privileges to the mongodb_container service in caching/docker-compose.yml.

Changes

File Summary
caching/docker-compose.yml Adds the security option no-new-privileges:true to the mongodb_container service under services in the docker-compose file, enforcing runtime privilege restrictions.

autogenerated by presubmit.ai

github-actions[bot]
github-actions bot reviewed Jan 22, 2026
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 Pull request needs attention.

Review Summary

Commits Considered (2)
  • 9ddefd1: Merge pull request #2 from girichinna27/fix/semgrep-no-new-privileges-28-iCwy4v0UzD

fix: semgrep-no-new-privileges

  • b7b671b: fix: no-new-privileges-28
Files Processed (1)
  • caching/docker-compose.yml (1 hunk)
Actionable Comments (1)
  • caching/docker-compose.yml [37-38]

    security: "Invalid syntax for no-new-privileges in docker-compose"

Skipped Comments (0)

caching/docker-compose.yml
Comment on lines +37 to +38
security_opt:
- no-new-privileges:true
Copy link

@github-actions github-actions bot Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The security option syntax is incorrect. In Docker Compose, security_opt accepts a list of strings like 'no-new-privileges'. The current code uses 'no-new-privileges:true', which is invalid YAML and will likely cause docker-compose to fail to apply the option. Change to:

security_opt:
  - no-new-privileges

Also verify indentation aligns with other service keys and validate with 'docker-compose config' before merging.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 22, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@girichinna27