Container Security··6 min read
Mounting the Docker Socket Is Root on Your Host. Here Is Why.
A CI job mounts /var/run/docker.sock so it can build images. An attacker who compromises that job uses the socket to start a privileged container that mounts the host root filesystem. No exploit required. This is one of the most common real-world container escapes, and the fix is to stop needing the socket at all.
Read post