The docker check group covers destructive Docker operations that can remove containers, images, volumes, and networks.
Docker checks
System prune (all)
| |
|---|
| ID | docker:system_prune_all |
| Severity | High |
| Alternative | docker system prune -- without -a, only dangling images are removed |
| Blast radius | Counts images, containers, and volumes on the system |
# Triggers
docker system prune -a
docker system prune --all
Image prune (all)
| |
|---|
| ID | docker:image_prune_all |
| Severity | High |
| Alternative | docker image prune -- without -a, only dangling images are removed |
# Triggers
docker image prune -a
docker image prune --all
# Does NOT trigger
docker image prune
Force remove all containers
| |
|---|
| ID | docker:force_remove_all_containers |
| Severity | High |
| Blast radius | Counts running containers |
# Triggers
docker rm -f $(docker ps -aq)
docker rm --force $(docker ps -aq)
Force remove images
| |
|---|
| ID | docker:force_remove_images |
| Severity | High |
# Triggers
docker rmi -f my-image:latest
docker rmi --force $(docker images -q)
Remove volume
| |
|---|
| ID | docker:remove_volume |
| Severity | High |
# Triggers
docker volume rm my-data-volume
docker volume rm postgres_data redis_data
Volume prune
| |
|---|
| ID | docker:volume_prune |
| Severity | High |
| Blast radius | Counts unused volumes |
# Triggers
docker volume prune
Remove network
| |
|---|
| ID | docker:remove_network |
| Severity | Medium |
# Triggers
docker network rm my-network
Compose down with volumes
| |
|---|
| ID | docker:compose_down_volumes |
| Severity | High |
| Alternative | docker-compose down -- without -v, volumes are preserved |
# Triggers
docker-compose down -v
docker-compose down --volumes
docker compose down -v
Container prune
| |
|---|
| ID | docker:container_prune |
| Severity | Medium |
# Triggers
docker container prune
docker container prune -f
Stop all containers
| |
|---|
| ID | docker:stop_all_containers |
| Severity | Medium |
| Blast radius | Counts running containers |
# Triggers
docker stop $(docker ps -q)
Run privileged container
| |
|---|
| ID | docker:run_privileged |
| Severity | High |
Running a container with --privileged gives it full access to the host system, effectively granting root-level control.
# Triggers
docker run --privileged nginx
docker run -it --privileged ubuntu bash
docker run --name test --privileged=true nginx
# Does NOT trigger
docker run --privileged=false nginx
docker run nginx
Buildx prune (all)
| |
|---|
| ID | docker:buildx_prune_all |
| Severity | High |
# Triggers
docker buildx prune --all
docker buildx prune --all -f
# Does NOT trigger
docker buildx prune
Blast radius support
Docker checks with blast radius compute real-time counts from your Docker daemon:
- System prune queries
docker images -q, docker ps -aq, and docker volume ls -q to count what would be removed
- Force remove containers queries
docker ps -q for running container count
- Volume prune queries
docker volume ls -q for unused volume count
- Stop all queries
docker ps -q for running container count
Example output:
============ RISKY COMMAND DETECTED ============
Severity: HIGH
Description: This will remove all unused Docker data including stopped containers,
networks, dangling images, and build cache.
Blast radius: Prunes up to 15 images, 4 containers, 3 volumes
Alternative: docker system prune
(Without -a, only dangling images are removed instead of all unused images.)
? Solve the challenge:: 9 + 3 = ? Esc to cancel ›
All blast radius queries run with a 3-second timeout and degrade gracefully if Docker is not running or the query times out.