NVIDIA_DRIVER_CAPABILITIES=all exposes more driver surface than most workloads need; prefer a minimal capability set.
| Property | Value |
|---|---|
| Severity | Info |
| Category | Correctness |
| Default | Enabled |
| Auto-fix | Suggestion only |
Description
DetectsENV NVIDIA_DRIVER_CAPABILITIES=all in Dockerfiles. The all capability set mounts every
NVIDIA driver library and binary into the container, but most ML and CUDA workloads only need
compute,utility (NVIDIA’s documented default). A smaller set follows the principle of least
privilege and avoids potential compatibility issues.
Why this matters
- Least privilege —
allexposes driver capabilities (graphics,video,display,compat32) that most inference and training workloads never use - Compatibility — mounting unnecessary driver components can surface driver/library version conflicts in environments where the host driver differs from what the image expects
- Clarity — explicitly listing needed capabilities documents the workload’s actual requirements
What is flagged
| Pattern | Flagged? | Fix safety |
|---|---|---|
ENV NVIDIA_DRIVER_CAPABILITIES=all | Yes | FixSuggestion |
ENV NVIDIA_DRIVER_CAPABILITIES=ALL (case-insensitive) | Yes | FixSuggestion |
ENV NVIDIA_DRIVER_CAPABILITIES=compute,utility | No — already minimal | — |
ENV NVIDIA_DRIVER_CAPABILITIES=graphics,compute,utility | No — intentional | — |
ENV NVIDIA_DRIVER_CAPABILITIES= (empty) | No | — |
ENV NVIDIA_DRIVER_CAPABILITIES=${VAR} (variable reference) | No — parameterized | — |
Examples
Violation
No violation
Auto-fix behavior
The rule offers aFixSuggestion (applied with --fix --fix-unsafe): replaces all with
compute,utility. This is safe for most ML/CUDA workloads but may break workloads that genuinely
need graphics, video, or display capabilities — review before accepting.
For multi-key ENV instructions, only the NVIDIA_DRIVER_CAPABILITIES value is replaced; other
keys are preserved.