From b5ebd203141b83342c86be20c41ce3fc92a267ef Mon Sep 17 00:00:00 2001
From: OrbisAI Sec <orbisai@thesecurity.online>
Date: Tue, 28 Oct 2025 11:04:04 +0530
Subject: [PATCH] fix(core): prevent container privilege escalation in
 .devcontainer/docker-compose.yml (#13814)

**Context and Purpose:**

This PR automatically remediates a security vulnerability:
- **Description:** Service 'app' allows for privilege escalation via
setuid or setgid binaries. Add 'no-new-privileges:true' in
'security_opt' to prevent this.
- **Rule ID:**
yaml.docker-compose.security.no-new-privileges.no-new-privileges
- **Severity:** HIGH
- **File:** .devcontainer/docker-compose.yml
- **Lines Affected:** 4 - 4

This change is necessary to protect the application from potential
security risks associated with this vulnerability.

**Solution Implemented:**

The automated remediation process has applied the necessary changes to
the affected code in `.devcontainer/docker-compose.yml` to resolve the
identified issue.

Please review the changes to ensure they are correct and integrate as
expected.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
  * Enhanced security configuration for the development environment.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---
 .devcontainer/docker-compose.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml
index 4180c36709..744da9e7e7 100644
--- a/.devcontainer/docker-compose.yml
+++ b/.devcontainer/docker-compose.yml
@@ -2,6 +2,8 @@ version: '3.8'
 
 services:
   app:
+    security_opt:
+      - no-new-privileges:true
     image: mcr.microsoft.com/devcontainers/base:bookworm
     volumes:
       - ../..:/workspaces:cached