Skip to content

AshleyT3/docker-socket-risk-demos

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
my-calc-app
my-calc-app
 
 
prompts
prompts
 
 
README.md
README.md
 
 

Repository files navigation

docker-socket-risk-demos

Companion repo for the video: Stop Mounting docker.sock — Run Trivy Without Giving Away Root Access — (inspired by CVE-2026-33634)

https://www.youtube.com/watch?v=xLTYzfPY3xI

This repo contains the sample web app and Claude Code prompt used in the video to demonstrate:

  1. Why mounting /var/run/docker.sock into a container gives that container root-level access to your host
  2. A safer approach to running Trivy scans — using docker save + a read-only tar bind mount instead of the Docker socket API
  3. Using Claude Code to analyze Trivy JSON reports with a reusable go/no-go prompt

What's in the repo

my-calc-app/

A Next.js/React calculator app with a multi-stage production Dockerfile (node:20-alpine, non-root user). This is the app scanned by Trivy in the video.

Build and run:

cd my-calc-app
docker build -t my-calc-app:prod .
docker run -p 3000:3000 my-calc-app:prod

The app will be available at http://localhost:3000.

Note: The file public/secret.txt contains a dummy RSA private key. This is intentional — it exists so that Trivy's secret scanner catches it during the first scan in the video, demonstrating Trivy's secret detection capability. It is not a real key.

prompts/trivy-report-for-prod-docker-prompt.md

The Claude Code prompt used in the video to analyze Trivy JSON scan output. It classifies vulnerabilities by location (app dependencies vs. OS packages vs. npm/yarn internals) and produces a release/no-release verdict.

To use it with your own image:

# 1. Export your image as a tar file
docker save my-calc-app:prod -o my-calc-app-prod.tar

# 2. Run Trivy against the tar (no docker.sock needed)
docker run --rm \
  -v trivy-cache:/root/.cache/ \
  -v ./my-calc-app-prod.tar:/image.tar:ro \
  aquasec/trivy:latest image --input /image.tar -f json > report.json

# 3. Ask Claude Code to analyze the report
claude -p "$(cat prompts/trivy-report-for-prod-docker-prompt.md) report.json"

The safer Trivy approach (from the video)

Instead of:

# Gives the container full root access to your host via Docker API
docker run -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image my-app:latest

Do this:

# 1. Save the image to a tar file
docker save my-calc-app:prod -o my-calc-app-prod.tar

# 2. Bind-mount only the tar file (read-only), no socket access
docker run --rm \
  -v trivy-cache:/root/.cache/ \
  -v ./my-calc-app-prod.tar:/image.tar:ro \
  aquasec/trivy@sha256:<pin-to-digest> image --input /image.tar -f json > report.json

Pin the Trivy image with a SHA256 digest instead of a tag to resist supply chain attacks like CVE-2026-33634.

Channel

AshleyPurringTech

About

Companion source for YouTube video "Stop Mounting docker.sock — Run Trivy Without Giving Away Root Access — (inspired by CVE-2026-33634)"

www.youtube.com/watch?v=xLTYzfPY3xI

Topics

docker-engine-api docker-socket trivy-scan cve-2026-33634 trivy-docker-scan trivy-docker-scan-safely

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages