Docker Container Security Audit with Python: Check Privileged, Root, Capabilities (Free Tool)

Why Container Security Auditing Is Critical

Docker and Podman containers are widely used in production environments, but misconfigured containers can expose your entire host system. Running containers in privileged mode, as root, or with dangerous Linux capabilities bypasses container isolation and creates attack vectors.

dargslan-container-audit is a free Python CLI tool that automatically scans all your containers for common security misconfigurations, giving you a clear report with severity levels.

Install dargslan-container-audit

pip install dargslan-container-audit

Zero external dependencies. Auto-detects Docker or Podman. Works on any Linux distribution.

Quick Security Report

dargslan-container report

This runs all security checks and displays a formatted report showing container count, running/stopped status, and all detected issues sorted by severity.

Security Checks Explained

1. Privileged Mode Detection (CRITICAL)

dargslan-container privileged

Containers running with --privileged flag have full access to all host devices and bypass all security mechanisms. This is the most dangerous misconfiguration.

2. Root User Containers (WARNING)

dargslan-container root

Containers running as root (UID 0) have elevated privileges. If a container escape vulnerability exists, the attacker gains root access to the host.

3. Dangerous Capabilities (HIGH)

dargslan-container caps

Linux capabilities like SYS_ADMIN, NET_ADMIN, SYS_PTRACE, and NET_RAW give containers kernel-level powers that should be avoided in production.

4. Sensitive Volume Mounts (HIGH)

dargslan-container volumes

Mounting host paths like /etc, /proc, /sys, /root, or /var/run/docker.sock into containers exposes sensitive host data and the Docker daemon.

5. Host Network Mode (WARNING)

dargslan-container network

Containers using --network host share the host network stack, bypassing network isolation.

Python API for Automation

from dargslan_container_audit import ContainerAudit

ca = ContainerAudit()  # auto-detects Docker or Podman

# Run full audit
issues = ca.audit()
for issue in issues:
    print(f"[{issue['severity'].upper()}] {issue['message']}")

# Specific checks
privileged = ca.check_privileged()
root = ca.check_root_containers()
caps = ca.check_capabilities()
volumes = ca.check_volumes()
network = ca.check_network_mode()

# List all containers
containers = ca.list_containers()
for c in containers:
    print(f"{c['name']}: {c['state']}")

Using with Podman

# CLI
dargslan-container report -r podman

# Python
ca = ContainerAudit(runtime="podman")

JSON Output for CI/CD

dargslan-container json | jq '[.[] | select(.severity == "critical")]'

Integrate container security auditing into your CI/CD pipeline by parsing JSON output and failing builds when critical issues are found.

Best Practices

• Never run containers in privileged mode in production
• Always specify a non-root USER in Dockerfiles
• Drop all capabilities and add only what is needed
• Avoid mounting the Docker socket into containers
• Use read-only mounts where possible
• Prefer bridge or custom networks over host networking

Download the Free Cheat Sheet

Get the complete Container Security Audit Cheat Sheet PDF with all CLI commands and Python API examples.

Level Up Your Container Security

Browse our Docker & Kubernetes security eBooks to master container hardening, image scanning, and runtime protection. Check out all 20+ free Python CLI tools for Linux sysadmins.