--- issue: 133 title: "Scanner: CI buildx steps run privileged: true — evaluate rootless alternative" severity: low domain: CI/CD labels: [security, scanner, ci-cd] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Scanner: CI buildx steps run privileged: true — evaluate rootless alternative **Severity:** low **Domain:** CI/CD **Labels:** security, scanner, ci-cd ## Description `scanner/.woodpecker/development.yml:23` runs buildx with `privileged: true` for Docker-in-Docker image builds. A privileged CI runner has full access to the host kernel. If a pipeline step is compromised, it can escape the container. ## Options 1. Switch to rootless/buildkit without privileged where the runner supports it. 2. Keep privileged but pin the plugin to a digest and restrict secret exposure. 3. Run builds on an isolated runner. ## Recommendation Evaluate a rootless buildkit setup; if infeasible, at minimum pin the plugin digest (applied via NB-41) and isolate the runner. ## Affected Files - `scanner/.woodpecker/development.yml:23` - `scanner/.woodpecker/production.yml` ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-73